<TABLE width=500>, Z. w/ ?) |" o4 e* |6 S
<TBODY>- p7 d3 G+ y7 M- Q( k; G, }7 o+ V
<TR>
: _: |! v1 r9 i" j2 x2 a: q/ P; @<TD><PRE>Method 01
0 T. F1 s' L$ I5 h2 L=========
M0 P3 D9 U, o: s
- M/ o5 y: q; A/ LThis method of detection of SoftICE (as well as the following one) is
1 c$ j! Q% w- v0 mused by the majority of packers/encryptors found on Internet.4 |; X6 q5 ]1 P( n
It seeks the signature of BoundsChecker in SoftICE' q; v+ V# S3 z7 f3 x! x w6 ]9 u
5 O# N2 { v# D
mov ebp, 04243484Bh ; 'BCHK'
! ?5 U- r( U7 |1 Z y" f& f) ]- O mov ax, 04h
- s- W$ g- f- f9 o6 O. A int 3
: r+ c8 _( u X0 E/ y cmp al,4% O; ^+ I" d5 T9 \# |" F
jnz SoftICE_Detected
8 H( g# `& h" K/ W% B8 ^
- _0 A) g9 D2 }* ~& |7 ?3 u___________________________________________________________________________! W3 l/ }2 A" D; N0 L# e1 X
8 D+ ?2 q& t5 N
Method 02
, o6 v# h: H; M: i" m, Y=========& T6 ^* U7 W3 q/ h2 t8 U
' H1 ]" v! [8 CStill a method very much used (perhaps the most frequent one). It is used
3 V1 |' V( \" F5 C! ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& u! W/ d' s% T. cor execute SoftICE commands...$ ^' K6 z3 m0 x( Y, |
It is also used to crash SoftICE and to force it to execute any commands
4 S# C' P, n& K! ~(HBOOT...) :-(( . C0 F8 [3 |! ^) o$ e, {( r4 G, Y1 G
, r; _# |& S; g$ o( t$ M1 X5 U
Here is a quick description:5 t+ R- T9 Z/ q
-AX = 0910h (Display string in SIce windows)
$ r+ T1 ?, X3 `& g6 N6 T9 W7 u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 n! p+ @3 _) ~4 Q' S0 t. x
-AX = 0912h (Get breakpoint infos)" A, h5 t5 ]/ L% \+ x& l" `
-AX = 0913h (Set Sice breakpoints)
g z; _0 g% E% D. V3 {( J& \-AX = 0914h (Remove SIce breakoints)% W/ I6 F3 h/ q9 D- m% s
: e( V% I1 x# m
Each time you'll meet this trick, you'll see:
6 B( ~+ d) [" _8 S( \3 r-SI = 4647h
: N/ N: h, x, ~5 M-DI = 4A4Dh
# `5 P" ^0 j; FWhich are the 'magic values' used by SoftIce.
8 l8 @4 d" H) f6 n w& AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) [8 }7 V q, z1 ]3 N* Q# _+ l8 z2 b& |) C/ G. t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ d0 \. q1 @2 cEnvelope utility use to protect DOS applications:/ o4 v: e9 H- i4 K
+ R9 r. j: w! e$ P; i/ v
% {' R3 ]- w% q( u4C19:0095 MOV AX,0911 ; execute command.
]; }% ]; p+ W% s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! C, Z" D( |/ ?3 l
4C19:009A MOV SI,4647 ; 1st magic value.; N# {% k; O, A6 {5 k
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 {3 Z! D$ e, v( Y2 s+ M! ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 W; h {4 N$ }" I6 _3 Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. s$ w+ ^& c7 v! A5 ~4 S
4C19:00A4 INC CX
8 h; P/ i# G% |. Y% f9 i. q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 j3 Z' d' @8 \/ |. R4 H5 d- p3 W
4C19:00A8 JB 0095 ; 6 different commands.. V* d: ?8 e6 ~' O/ H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' j) n- X" ]9 q+ R- ~) F" h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: V% C& ?( p% }
" l5 O9 q. [! gThe program will execute 6 different SIce commands located at ds:dx, which
+ l* T2 T1 r: V* D2 f3 ^) y: dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 l( P2 q/ U1 z3 Y. h9 b$ A. ? V! w- B5 j3 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. d, J( h7 \! d8 s
___________________________________________________________________________/ [6 v0 Y$ ?. B5 q5 n; f) n. ~% |
7 f6 F& z# y( f8 W8 A- A" i( G' r* {: ]6 E7 h6 ] H; ~' u5 }
Method 03! L; @) p* z. b. v2 e
=========
/ g- w: B1 i) H+ M
$ B0 J1 `, q( Y1 i% r SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 x. W0 y) G9 E3 v3 Y7 F5 f
(API Get entry point)
; D$ I1 ?; s1 ^# F! s , I. s0 y! k" Z; i4 m+ m4 [
) E9 V6 K5 S) c$ h xor di,di+ d5 U* e8 F, r B* p; E) @
mov es,di
7 Q; Z0 o! @3 Q4 T; q( d mov ax, 1684h 6 \* Y" t5 M" }' |9 i
mov bx, 0202h ; VxD ID of winice
' }" v+ m+ z+ Z8 a6 ] int 2Fh
' `' W: D& {3 x$ h mov ax, es ; ES:DI -> VxD API entry point
7 P/ P9 I, H8 _; w. d+ M add ax, di# F' d5 m1 t; L' O3 [8 [$ Y
test ax,ax! v7 q8 \/ t# x3 A% q) V
jnz SoftICE_Detected) _3 U G$ S' h7 ]. L
Z3 H. {; A1 X' F: h3 w* `. U
___________________________________________________________________________7 F, t) k, q g4 L- z
2 p2 z- }$ ?+ Q* kMethod 04
( f; h( s; Y2 u" r- ^/ e2 ~=========1 F' t% o" n8 M0 I$ \# R4 N H
. q) f. z9 D5 U; p }# ~( H% \2 aMethod identical to the preceding one except that it seeks the ID of SoftICE2 [: a; {/ s4 J, E
GFX VxD.
0 W. k! y: z3 R3 b- q' `/ ?, d/ ?; C7 m$ f
xor di,di) d `7 { M8 ]* O! W# I: |% d" b4 C
mov es,di: _$ N( t* @- h: R( I- c8 P" |/ f9 P
mov ax, 1684h
0 R. O7 {7 \% w2 P mov bx, 7a5Fh ; VxD ID of SIWVID( z: n3 ` z$ u2 m
int 2fh$ r) \3 |' W7 o9 R, _
mov ax, es ; ES:DI -> VxD API entry point0 T! |4 d4 E* R/ A9 y# Y
add ax, di# W$ E, j# ?6 a+ G3 `
test ax,ax% m6 a9 M; h" h6 R- B2 [" E) \2 B
jnz SoftICE_Detected$ S1 @% _" ~2 f6 N% o' e
! m+ P4 Y6 r" V- J# ___________________________________________________________________________
% P+ d* j3 R# O! }% R
1 m4 ]( ]3 A- t* f! _3 D7 v$ A- I+ i" `* X
Method 05
8 j$ {# q2 y) q' h5 i& ], K5 M=========1 v) t0 U+ o8 f: G6 }5 C) ^
% {. t; E+ p) v9 X& P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, i g W4 \7 t) u- I5 [& qdebugger. It calls the int 41h, function 4Fh.% _2 N& n, U. d
There are several alternatives. S* u( H9 B( ?0 p* @+ Y h: j
' H! g8 s ^: @* O N' AThe following one is the simplest:
3 n# T- {: Y2 _; U# N, o& j3 U, ]* ^/ K0 @
mov ax,4fh
! e* l) e4 i M+ S int 41h
0 p% P; G' F( K! {1 r% ^ cmp ax, 0F386
% k3 l8 F3 J" a8 h S0 ~ jz SoftICE_detected5 u* \. w" e: L: R- F1 p, V0 O
2 Z/ w6 d6 q. _# U t
2 L) W d' V, D! Q+ h6 d/ wNext method as well as the following one are 2 examples from Stone's
: \3 c. S: @8 r0 e: t"stn-wid.zip" (www.cracking.net):
& M3 G1 Q4 j8 C/ E9 R0 m/ m. C3 s# ^( N" `! b: @, s# f
mov bx, cs
! q- O s( ^; G4 r0 M9 t lea dx, int41handler2% V2 K# T1 W. S0 c2 N
xchg dx, es:[41h*4]. ?* |/ c- Q& {1 l
xchg bx, es:[41h*4+2]
/ I" ?8 v- k C mov ax,4fh
+ | g' P1 K W9 H3 h* s int 41h, T8 m$ y+ k, K; E/ |) f
xchg dx, es:[41h*4]0 ]0 h2 X$ X- X5 I; u/ P& Z
xchg bx, es:[41h*4+2] r; x/ f I7 h8 M+ U2 B8 f1 p8 Y
cmp ax, 0f386h
! K3 A. E( m% ~) A/ K- G& } jz SoftICE_detected) S9 q D* N2 B1 R7 s
4 c4 p' Z" c5 sint41handler2 PROC S! E# g1 m$ Q# F
iret
* [5 S, P3 ?6 Wint41handler2 ENDP
; `' k) ?0 j( G! O1 S; B# W1 q+ I. d. T! F( }/ R. G0 w
" q+ M$ t3 C5 V2 `& A) ?_________________________________________________________________________
! l" c& {9 Q6 h' c9 h0 z7 s: B8 Q, L/ o o w! m) Z
0 M5 o- Z @3 i: l2 b! E! D+ WMethod 06) {0 E& {7 W3 {) A
=========
/ a& d% t, _1 P4 b: x
* R o4 L. B |) h$ V( O
$ {) Q8 D1 T" \! v3 L. s) G4 ~2nd method similar to the preceding one but more difficult to detect:
3 R# c$ X2 Q k# B* V4 T; {. X* W: ]
! ~6 a. T) q; g' Y2 R
int41handler PROC. a. [8 K! H, ]0 U# ]6 y, P0 M
mov cl,al
9 G: T& E5 d! g1 S% S8 ^5 E3 s iret4 A5 s9 o% r: f: v
int41handler ENDP- @1 e9 u3 t6 X* f$ F
# F7 P3 f3 f- {( @. [
+ Y3 @8 ~, ~" T0 c, m
xor ax,ax/ u* T" `$ ~1 A) B! R; O+ c, b, b
mov es,ax% v' x/ z6 Q- e
mov bx, cs2 b d1 | c! b" ~! Y6 u
lea dx, int41handler
' Y& R! Y& Z+ s0 I9 S xchg dx, es:[41h*4]% r& }6 T+ ^/ x- m& }5 d
xchg bx, es:[41h*4+2]( D4 \8 h: s$ C7 L' b5 t6 p
in al, 40h3 z% j _6 H) M# \
xor cx,cx$ B8 G& b+ ]0 m# k7 ^
int 41h
9 J# P. m5 G/ k xchg dx, es:[41h*4]) m, G/ Z W7 q/ U# }
xchg bx, es:[41h*4+2]; _ `0 x4 ^5 v- z9 i. F
cmp cl,al
/ o& {* _& g$ @% U0 O4 v' _ T jnz SoftICE_detected: ] C# X$ l1 ~ ?3 O, l6 d
, g7 x1 T0 Z @ O
_________________________________________________________________________
: Z3 ]' m: S$ _9 A) P0 U4 z: m3 Q' n { K% t4 {) S
Method 07( }% V: t8 ~5 c0 O, h+ H
=========
5 k+ D$ V2 }; C/ s/ I, g4 [5 X9 u; @7 E d
Method of detection of the WinICE handler in the int68h (V86)
2 t7 n4 _$ y0 a* }4 l# Q+ J5 X* s
mov ah,43h O' H+ @1 J9 g
int 68h
8 d. M0 ?5 W% B( B* U cmp ax,0F386h5 p/ x7 c8 S" {4 X( V( T
jz SoftICE_Detected
; \( ]% W) _" u% n3 f# I, Z+ F Y4 M9 U1 L" s: [
# c: g: @' d" P. T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ v! _1 _4 w0 c) N; ?7 ~3 s app like this:
% J7 `9 m7 H* e, C- }+ R
% l) Q4 }7 [5 k/ h; J BPX exec_int if ax==68
. w' `5 Q' }7 Y% G( H3 l (function called is located at byte ptr [ebp+1Dh] and client eip is D: T& m) n6 r: x( @4 b6 w
located at [ebp+48h] for 32Bit apps)' z: y0 h# s5 K! K& ]* C _$ s
__________________________________________________________________________
0 c5 u" \( ? e( C8 K0 k& M( M. u" s
1 M# `, M! l, ^! |; H9 Q' ?& `Method 08
7 D' q |, e$ C9 U6 _ |========= q; \1 e4 c+ _
& e6 I5 W& H4 R$ F9 X3 {9 _" c' ]0 UIt is not a method of detection of SoftICE but a possibility to crash the* P: e2 h. Z" t. {4 l1 {
system by intercepting int 01h and int 03h and redirecting them to another2 h9 J4 L+ I: s. ?: v! M- c
routine.
. n. P. T. I# RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; C& H1 `0 e% e) `) V; {to the new routine to execute (hangs computer...)
% h- z; s: I2 H/ v- M
0 P% y7 n& w8 ]; U% }7 \* u mov ah, 25h
* q0 a$ F4 z" R1 K' C8 b! P. L mov al, Int_Number (01h or 03h)+ M7 f& ~6 G" d' B
mov dx, offset New_Int_Routine" t# q% k- }) ^- x/ a
int 21h
) q) Q5 ~* r, q. F; T
. I" I E+ _' {" h$ ~__________________________________________________________________________
3 U. T& X. A W& I: y' x x# W
% |: m5 X, P, p7 FMethod 09
9 n+ x$ F3 x8 v8 u=========7 D& O* y+ x; F" J/ e
% @6 ]3 H5 _3 }# ~# |5 L# [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 l/ t% `) K) a* A a$ e/ f0 d. N. iperformed in ring0 (VxD or a ring3 app using the VxdCall).
% s4 S2 ~: `( s# x+ u# c- |$ YThe Get_DDB service is used to determine whether or not a VxD is installed: f6 S) `6 i$ J, e8 Q
for the specified device and returns a Device Description Block (in ecx) for: Z7 D% p- Z- |
that device if it is installed.
7 J3 d9 {1 L% ]$ h! c# H5 t& W. t1 c `5 s3 W3 N& J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" V+ z% @2 i" H1 P7 M5 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 H0 _% N6 r. v. L# S9 O9 W
VMMCall Get_DDB0 y; E" [/ [) d) E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ R. X% [1 T6 [3 V
4 c0 J" f$ l4 F- {; l8 Z
Note as well that you can easily detect this method with SoftICE:$ v$ P% ]) \) L2 g, [& l
bpx Get_DDB if ax==0202 || ax==7a5fh
: V5 h" q# @4 a0 D3 v' Z. Y( ~) z- A4 L
__________________________________________________________________________
, O# O% A* ^& T! ?$ d, o
* B& g$ B- R9 t, {: s# oMethod 10( D3 Q, x/ v ?; X4 l
=========0 Z/ Z; V1 R7 T' \3 ~% |
' O; H4 c/ T: ?! b+ ?! E; u=>Disable or clear breakpoints before using this feature. DO NOT trace with3 n" o6 \& C3 X- I+ e
SoftICE while the option is enable!!
0 T, F, e/ b5 y- y4 |/ h
) q7 l) `* e+ G5 X1 m3 O/ BThis trick is very efficient:
( D, j7 ~, U3 f1 y: Dby checking the Debug Registers, you can detect if SoftICE is loaded9 O, c5 {; G) m5 u8 C; _! e+ B5 ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if N6 x- y' y/ v) x0 ?( \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ o0 v* C+ F1 g6 J3 K/ q, }# Yvalue (in ring0 only). Values can be manipulated and or changed as well
3 @+ q6 \4 z; I) t/ c6 V: v# V/ L' i(clearing BPMs for instance)
% P1 s1 a2 ?& [ G: I& u4 R M2 V2 ^ x* `8 W, x: s
__________________________________________________________________________% I# C: {% I. N7 l: |
) o7 M( v! F/ j+ u6 T e$ `Method 11
1 v3 j8 C5 g' [( u+ k: O0 l=========5 v9 m4 H' S2 N* Y: e# k: M( K% N/ E
" _4 @3 b/ y6 d; W# }$ l6 s& j' |This method is most known as 'MeltICE' because it has been freely distributed
$ O; o! x$ ?" {& g9 e0 {+ dvia www.winfiles.com. However it was first used by NuMega people to allow
% L: D. m0 D/ V$ G9 }Symbol Loader to check if SoftICE was active or not (the code is located
5 e) G' K" [) @. Dinside nmtrans.dll).
! x. V+ B. n* r; a
: M0 F: u5 c6 `+ [2 nThe way it works is very simple:
* M& F2 l- L* pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ w8 _" L7 }# E3 l
WinNT) with the CreateFileA API.& c' l' s. S6 z6 Z" L! K& e7 ?4 W
. G# q* T) }+ ^" _
Here is a sample (checking for 'SICE'):
: d" Q, T+ q5 n3 q! S: s8 G
: `6 L4 U; R) T/ l5 NBOOL IsSoftIce95Loaded()
1 L: u3 c, Y" A6 m9 |1 m% B4 G* h6 T{
8 n6 s! W9 Q- \9 q HANDLE hFile; & b5 C0 |. {( |3 j- d8 S# Y. k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 |" \) Q4 t5 j
FILE_SHARE_READ | FILE_SHARE_WRITE,% H# \- x) S( T* p) }) c& \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ A& c! b" C% \ S! q# u if( hFile != INVALID_HANDLE_VALUE )
- ]) G) e) ]6 u {0 r* p+ e; P5 `) Q" k) z
CloseHandle(hFile);
4 g6 ^1 I0 ~2 p4 V9 N return TRUE;# o7 }. G }3 C7 D( s& t+ t+ S$ o" W
}$ a, |, A. z/ W) q- x& [
return FALSE;8 g7 u& ~2 x; C2 P/ E5 T i/ E
}
$ Y1 a+ n9 W/ y; l7 R) P
' ? t& M/ G' O* y0 e+ B, G" ?+ lAlthough this trick calls the CreateFileA function, don't even expect to be
* Z" q$ w) s9 n& G) iable to intercept it by installing a IFS hook: it will not work, no way!
6 w+ M' V' D& N1 D1 p( cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 P6 @9 r9 [2 V- V; U' N9 L/ Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 K9 ~) ~6 x# F4 b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 @& z `* ~1 F6 Z, Bfield./ H: u4 V$ |$ s$ C0 ]
In fact, its purpose is not to load/unload VxDs but only to send a
v; r+ r. g( e. c" W3 j dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: q. c3 O5 @3 l* D7 k" l7 q' Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ X& \+ g5 ^# _$ ^+ Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% D8 N4 D; n6 Y# tIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 |7 U+ W% U) v8 L3 ^
its handle to be opened and then, will be detected.' H* w; u- U# t, ?$ E- ?- A
You can check that simply by hooking Winice.exe control proc entry point* R2 C% h& J4 v- S6 r( p7 h
while running MeltICE.: ^3 e% l% J3 |5 v8 M0 J- A
5 G+ a5 |; n# e/ X* U+ `
. K8 I& X1 c5 e/ H4 m0 {
00401067: push 00402025 ; \\.\SICE
% R% M. t% @8 J' D* M6 H 0040106C: call CreateFileA
3 C8 P! W* d3 A 00401071: cmp eax,-0018 f( C! O" Y- R3 I2 v
00401074: je 004010912 W2 V: A6 @4 P
% O+ w( |* p$ G, y0 Y; p3 W* i4 m
: q5 f& O; [9 u; B+ g5 C2 xThere could be hundreds of BPX you could use to detect this trick.
, l3 A/ l. Y5 v-The most classical one is:( {! k: h9 Z8 X3 {5 `; }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) F" L$ s. e( L) V" v; W+ ?: `
*(esp->4+4)=='NTIC'3 d' ^+ o7 n2 ?+ ?# w p6 P
+ E1 G* C% C4 |; p6 y) D-The most exotic ones (could be very slooooow :-(
# a" h: ~) e- |* R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( V f% M" l2 r ;will break 3 times :-(
! i( B2 `7 x. f- |" |, c: M- v4 }4 l2 y P8 {
-or (a bit) faster: 6 H N5 ~; j# ]7 t3 D3 |; L$ N9 b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ p! k2 \) {; J, S- s0 \% O# Y! f& Y3 M z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' a1 L$ W# o' {0 f% l& g0 K7 l0 p; ? ;will break 3 times :-(
! W: W! _) C. B/ L% f) u7 a r! B8 P
7 @, L. t! ]% t0 w4 p( b-Much faster:# ^& Q; E/ u! Y: ~/ H5 Q& Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' ^; c P- N/ S5 m
7 M* u0 _$ r* u( H [6 U+ s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 q% O+ |5 j+ Tfunction to do the same job:
, a- A, s, d# L* \' j# T' n
( I% W0 W' ]7 l! R" s) X push 00 ; OF_READ3 j$ y) G, f! S b$ a( h/ U
mov eax,[00656634] ; '\\.\SICE',06 I! t6 w K0 V* T
push eax* n$ ], p& Y1 @! M; d3 q* u0 o
call KERNEL32!_lopen
: d3 C% H$ h3 O- [ inc eax
# ~9 n( e7 L I0 t jnz 00650589 ; detected C9 g. S, U0 |- R; {" |
push 00 ; OF_READ
" W5 z+ b8 h- f# R) p* q mov eax,[00656638] ; '\\.\SICE'
# E, @ L8 |( u9 Q9 c3 W- x push eax
- R ]( Z2 |. T! w7 A' ?% Z call KERNEL32!_lopen
4 Z2 s9 {: P1 t$ n! ^ inc eax
1 r' H4 P$ x( V& {( _! p9 h) ^ jz 006505ae ; not detected
& r0 d3 ?9 v: O- B3 `$ r% o- J$ m4 K' g4 H8 i0 q8 p
8 @/ h! T4 S0 {
__________________________________________________________________________
6 f3 D/ a' P* O
4 D2 V. r7 O7 h2 t) ^Method 12
% Y- _. h8 K( }# _# G! V0 G, Y=========9 M1 Y" G* e- M% j" g/ k
, |/ n" X' G# o6 f8 t+ |6 v
This trick is similar to int41h/4fh Debugger installation check (code 05' z# V8 `- x) s( N
& 06) but very limited because it's only available for Win95/98 (not NT); d% Z: }6 {- C: p% k" d: ?5 {: {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 P' K" w2 c& t; r/ t& { [
& `' [7 \% U7 N8 m$ r+ I( r push 0000004fh ; function 4fh0 v, s' @# |; t5 o( W' y1 q0 ]' B
push 002a002ah ; high word specifies which VxD (VWIN32)6 d- c6 Z* T. R1 b- p' ] q/ ? P
; low word specifies which service0 A4 Z6 J5 a3 |/ ?7 W$ e
(VWIN32_Int41Dispatch)/ |9 {: ^+ A% T+ E1 }
call Kernel32!ORD_001 ; VxdCall/ m: E; P$ d1 ]7 E/ d
cmp ax, 0f386h ; magic number returned by system debuggers: r" q* S/ |$ P. j4 S% E
jz SoftICE_detected
2 ^/ E6 q: x5 x& b
/ ~! P% l4 v. z9 E+ y' S3 k$ u% [" vHere again, several ways to detect it:% Z" d& U$ I% A, l7 C
4 ]3 K* M! a4 i: S/ g0 ]/ }" S
BPINT 41 if ax==4f
: W. @% _! v! w# k, A3 Q" S! m" e5 y& J) l% A" X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; r9 }- O. J$ l+ w2 T9 r6 R2 g* w
& P9 w" g/ d. i" V# T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 L- P3 B7 n" H5 e: f) m, P1 r
. o8 Q1 r4 A4 T: ?3 {. F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 Q# q! a! u8 `
" ~# f; x" c$ H0 ]__________________________________________________________________________! a: r5 T! z, a3 O/ K
5 P$ c: P" q2 W) H8 a4 o* D8 ~
Method 13+ `2 Z& ~& r ]8 ]% X+ Z
=========
7 r, g4 C) P( d: E2 `8 }7 c9 a# H& d* ]+ x8 x/ h
Not a real method of detection, but a good way to know if SoftICE is
8 |1 y! H, R, w2 ?3 @) einstalled on a computer and to locate its installation directory.
" d3 u, _' Z2 a( J" N9 _. oIt is used by few softs which access the following registry keys (usually #2) :
9 V" |) g2 g1 z, v- `, I) Z9 A4 g( A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- H4 F. i: D, w/ l# Y; I; D
\Uninstall\SoftICE, i- v& d1 A8 k* }& R p( I0 c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 ^6 b& ?9 v9 e& h( J& @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 S& k# |8 J1 e+ z+ K\App Paths\Loader32.Exe, d3 y# u, J3 R2 a |1 I; J2 v3 i4 N6 p
$ U- n. G2 J3 w% ^4 l
1 e w. e0 I3 P+ M3 P* YNote that some nasty apps could then erase all files from SoftICE directory, h% v( A* W7 E( z
(I faced that once :-(+ r* g0 w( {. p7 X# U' F
+ j* O$ f" ^, M$ ?Useful breakpoint to detect it:
3 s" v M" S) H* y5 Q6 {, h0 \) A, ?* S( ~9 H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. ]. d) p# f/ ?. y, P5 P% d7 W @ I; j9 i6 u4 F: u! y& d
__________________________________________________________________________1 C7 J5 O* c8 j5 J% y2 V
0 c% [+ Q# R, s: `- g8 c0 Q
( t6 t/ g3 j% ]Method 14
0 Y% m) h- t% H7 Z$ x# l=========
9 I* n7 }5 n! Y) `) J
$ c+ J; c) w# k& X# q" dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 i$ |) ]$ X5 l& H2 X. d
is to determines whether a debugger is running on your system (ring0 only).
, K1 K$ T* ]1 q3 l! `
7 b4 h" X2 c' ?6 ]) _( o( A4 `! _ VMMCall Test_Debug_Installed9 W7 {% W I L# M
je not_installed# I, p, d3 E0 s* c
/ ?4 c; a! I& }2 F4 a9 g; n* G
This service just checks a flag.
+ E- E' W- g; o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡