<TABLE width=500>
# M4 \: G+ r9 |' n6 P4 ]& o, p<TBODY>
+ h! \$ s& \4 x3 m2 m/ g( Q1 h/ ?<TR>
, e# ]% k: ?( ]) D; s4 B! A<TD><PRE>Method 01 $ Y. n8 `; I! ?4 @* _$ G" H
=========
9 a8 m- h/ O* I$ _% [( v7 L) i$ y; e7 u" F, k2 l4 Z8 U
This method of detection of SoftICE (as well as the following one) is
% c* c7 }+ c: H! V3 H9 Iused by the majority of packers/encryptors found on Internet.
1 p1 j( s* v% E; Z2 h3 tIt seeks the signature of BoundsChecker in SoftICE5 h. g( w, D& `! W$ @
! ^. x& e- ~4 ]& y7 X* s; h mov ebp, 04243484Bh ; 'BCHK'
1 e) S# U% S" q mov ax, 04h
4 U1 C1 m, D9 q5 X int 3
X5 b# H; i* _$ Y: i6 h) Y cmp al,4, I* y* F# y$ ?8 K& o1 k
jnz SoftICE_Detected
0 E! T5 V- L4 F' e5 a! w! d7 I6 m9 u( z, I2 k8 \5 ]- `3 X& m
___________________________________________________________________________9 F2 }6 h( a8 b7 b
o8 {1 ~& v; V/ wMethod 02
* N6 }. K7 d8 v2 ^7 l) r=========/ q i1 z! L* i; g* `! K( ~
. q$ n# l$ B2 t! IStill a method very much used (perhaps the most frequent one). It is used8 o0 J( \) ~2 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& J- R' N7 y/ L1 g: K# o+ {
or execute SoftICE commands...
+ ^! d$ s4 |& K: d8 R& j* e1 u( IIt is also used to crash SoftICE and to force it to execute any commands/ o% T& i9 S# |. {4 g, ^
(HBOOT...) :-(( : D0 y( g: `% a* v n* z ^
9 y2 `4 W- b& T$ g' j- YHere is a quick description: s1 v6 H* t2 D) D0 H
-AX = 0910h (Display string in SIce windows)/ U7 Q% D. I; l# `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 S+ a; i6 S- ^+ }& t4 e
-AX = 0912h (Get breakpoint infos)+ `* o* a# `, L. T/ d {- S+ e
-AX = 0913h (Set Sice breakpoints)
' ~/ T9 L. B: a2 h& X; v7 ]-AX = 0914h (Remove SIce breakoints)
5 i0 m2 a8 t7 b( m* ~/ d6 S/ a3 E/ Q, F8 l9 c" J1 ]) ]
Each time you'll meet this trick, you'll see:
# s, f: d& C# l9 }# ^0 ?+ f$ Y-SI = 4647h
, Z7 B) X% r" X-DI = 4A4Dh
6 B( H/ u1 `7 gWhich are the 'magic values' used by SoftIce.' m; `2 S+ G# {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& \% F7 T5 K9 f3 [) v# u: `7 I: j* H' k/ R5 f6 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" d( S+ Y+ O" ] \. @Envelope utility use to protect DOS applications:% p5 l# N- x, h# Z! ?
' r7 x- W& J/ v6 Q- U n4 ~
3 Y4 P& Y) X& A/ B: O( E' C# H& U
4C19:0095 MOV AX,0911 ; execute command.) B% R/ a& u; \' O9 U+ \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( \5 y! c B& k4C19:009A MOV SI,4647 ; 1st magic value.1 G# W! c- L4 M# k3 u% A
4C19:009D MOV DI,4A4D ; 2nd magic value.8 K9 z0 [6 b" L. ?6 E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 c; ]% ]" C7 Y" L Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" l) j \! X! J" m; r( \& P; L
4C19:00A4 INC CX
, n+ M% Y$ x- X( Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 C! z! M8 B# f% H# ~# X$ L& R
4C19:00A8 JB 0095 ; 6 different commands.
0 ]" C- C$ r, ?1 K3 D! t4C19:00AA JMP 0002 ; Bad_Guy jmp back.* l& R& b* C" D( `: f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 K! G) E# [. _1 ]4 Z$ V% U0 G
0 I% F$ z& H1 H, I7 b+ x SThe program will execute 6 different SIce commands located at ds:dx, which
* q c& A! T( j" ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 I H( c+ d: J( y8 Z8 \ f% x6 x ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, A1 A1 @+ W! @) H5 Z( ^5 c___________________________________________________________________________
( N4 _4 m3 Z w8 ]
8 `4 w7 j1 }2 p. z, A
* U+ l Y/ K; ~9 jMethod 03
4 j# o( J6 j5 F6 ]9 l4 a" F/ A8 b0 N8 `=========3 ?9 G$ p( A& G
& T& U2 C4 G* E$ m/ tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* ^: }# o4 p/ I% j) P0 G# Z/ k
(API Get entry point)
; C: R& X; {+ Q& P0 m / {9 X) Z: l+ i
6 `0 B% N0 `6 _1 c* b1 N xor di,di! G4 Y+ }$ C# p% Y6 m
mov es,di
$ C# W, \2 F+ F mov ax, 1684h 6 I& R3 u- N' [5 q2 j, ^* Y
mov bx, 0202h ; VxD ID of winice
# Y0 W) Y7 O( G j! D3 W int 2Fh
# R# E1 N5 |. I$ i( \ mov ax, es ; ES:DI -> VxD API entry point8 {3 f. |! w! q: N
add ax, di
8 h. \" b0 A" d test ax,ax# o8 `! W4 ~& L i+ v) _
jnz SoftICE_Detected, t: h4 M/ u# U8 y' v2 m$ x
0 p' |/ h- J" k+ h
___________________________________________________________________________( t; ] H# i# B' m
, y* e N) V, W! b; Q8 w' [# eMethod 04
1 O& d7 ] S4 R0 A0 g=========
# C0 p! y' F: _! N+ b: D D# R; P3 a j+ A0 d9 p
Method identical to the preceding one except that it seeks the ID of SoftICE
& b, @+ C5 e# T6 y* pGFX VxD.1 |9 C: h% z& T c8 P
% m" e3 z6 o4 ?" g$ f xor di,di
/ w# @* b- p" s' J6 ] mov es,di
6 }& k: g1 o! U- b( _8 v- h mov ax, 1684h
+ [+ N6 G% t. J6 \ mov bx, 7a5Fh ; VxD ID of SIWVID
2 B6 Q$ W( N W4 D' r1 R int 2fh; `" L: g6 \0 ~' y
mov ax, es ; ES:DI -> VxD API entry point6 F( D: r9 P" H/ b* m
add ax, di h' w: X! \! h: s
test ax,ax
! E9 d# _! a" _. p v) p. \% w. H jnz SoftICE_Detected
! |" S, |' W. {7 n( d4 }
$ S6 i" v, R2 U) Q__________________________________________________________________________
1 p1 f/ i* {- C& q, s
; s) O7 K- O" f% w" }2 R, @
8 M( g5 Y- N5 c/ a) f$ z: u! GMethod 05
# [ e! s Y% r& \# M5 z=========. x+ l% ~$ r" r- [+ t& w- A
6 ~& L5 ?% K5 Z! i- r1 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* r" B5 M/ S- t7 l6 E" b Ldebugger. It calls the int 41h, function 4Fh.
$ T# D+ P- M5 D8 AThere are several alternatives. N0 i8 Q6 K7 p6 G2 F8 A/ j$ t
5 f: P4 L" I% \; ?- R) N* E& l5 h" NThe following one is the simplest:
3 {2 ?4 q7 h, Y2 |1 T$ X8 ]
+ t- T. k# F$ n0 K mov ax,4fh
* P+ g5 v7 q+ l/ \1 F% f: e, f int 41h
0 ^6 z) L4 I+ G& T cmp ax, 0F386% ?7 n9 e g J) p2 N
jz SoftICE_detected
5 H7 ~- f; j' b) ^; D/ v1 z" L' ~) z' I- W
* \- |* h% H8 ?4 ^6 l* h
Next method as well as the following one are 2 examples from Stone's
2 w1 ^* w4 o' v$ A1 o# @+ X8 D"stn-wid.zip" (www.cracking.net):
" `; K9 ]2 S: \4 C$ ~* W, l# U
& H& C/ V- U8 l7 `* w mov bx, cs
3 J- k/ ]1 v& F9 C lea dx, int41handler2( }. d4 P4 [% ^. p" _
xchg dx, es:[41h*4]- }+ C! [/ d% k& f
xchg bx, es:[41h*4+2]
7 q# O1 d; c- F* G4 M2 p! ^; x/ f0 Q mov ax,4fh% `1 ~9 u3 ?0 ^$ Y
int 41h) g1 |& B. P0 \* @8 h
xchg dx, es:[41h*4]. t+ O8 S8 i. f
xchg bx, es:[41h*4+2]
9 h) Z1 O* U; y( P b cmp ax, 0f386h
& ~- M! L+ R- t% I jz SoftICE_detected
1 B/ f4 _6 d/ J. g. _: p, R
+ f8 ]' M# c* r" V4 A9 B& \8 @int41handler2 PROC$ F+ w# j7 j/ g
iret
+ r# |) R' d7 s) M& j$ j3 Wint41handler2 ENDP" {, A. Q, @( S4 C' h
( M) w7 R4 `5 a. P
) A. k2 } {3 `$ c' t. e$ H+ J_________________________________________________________________________
/ l# V$ i3 Y3 A! e, E& l
3 l: z3 u( H% \) j; B* ` m5 r+ z5 f3 v3 q; ]
Method 06) F2 h4 D( l( B: d7 B7 z8 N2 q
=========: L. t+ D$ B. |- c
x/ Q; m. {$ g- O6 w1 M8 I7 ]
! y0 e @( s/ H$ |2nd method similar to the preceding one but more difficult to detect:0 G7 D- J, ?3 P
. {6 a' l1 G8 E5 c2 O# O2 C7 l$ t! v* d; u
int41handler PROC
5 X+ F% P: _+ Y mov cl,al
3 L5 \/ U: Q8 Z) B9 U9 Y iret
+ B" I1 A3 B# s( Dint41handler ENDP
* U1 D; B) m& U. C) A# }" R8 F; ^2 D2 X
$ s2 w) ~; F1 s
xor ax,ax8 l7 a, `+ _9 O) |" O
mov es,ax5 j# S* \4 a8 b& U! P _7 g
mov bx, cs4 D( q3 F, j' ^# R
lea dx, int41handler' g$ ]/ |$ h* r) |. G; ~
xchg dx, es:[41h*4] \9 e" `" F6 j% V% t: x+ @$ I
xchg bx, es:[41h*4+2]6 R. |' M4 B5 J- {! `
in al, 40h
. Q0 [% l- k6 A; P5 I, |; s xor cx,cx
% V1 y6 B3 t. x int 41h- D L5 W' W5 I
xchg dx, es:[41h*4]( g ?/ u9 `; L2 L! D- ^
xchg bx, es:[41h*4+2]
* v9 K% e* g' X' O0 a" Z6 D cmp cl,al
& x2 c. r6 v: ?1 S jnz SoftICE_detected
3 E5 q" B' Z$ J v) f5 |* V- l2 l; |6 z$ H
_________________________________________________________________________4 x8 o2 b' u8 W
2 F0 F; b3 j+ f+ `; c: E' P
Method 071 O& D: Z! Y$ [$ A5 H
=========
2 n/ N/ C( w& C1 \+ Y/ o
) z5 F% R N; l% \: j$ `8 aMethod of detection of the WinICE handler in the int68h (V86)
& U2 ]* O8 @6 C) w1 t+ T4 i: p2 E3 S+ C1 r2 d! w
mov ah,43h& f g: ^) g; G
int 68h( ] U% z0 @) a0 D$ n' G. L
cmp ax,0F386h
% i1 e0 P$ Y' N7 q0 r) E6 Y jz SoftICE_Detected7 g7 C% g; l" o& M% ?
0 a) ~; f; t5 _ Q1 M5 H- e! X( T
" t9 R' q9 n9 P3 T9 f& q+ }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- X5 H5 B0 b* P0 a6 d) E app like this:
1 u e' a4 Q E
+ b. V: D0 m& \: R1 g+ t& r BPX exec_int if ax==68
+ k0 S8 E) I9 W9 c) `. F1 ^ (function called is located at byte ptr [ebp+1Dh] and client eip is
. _; W, o' E' V7 ? u9 w0 V; l a5 X located at [ebp+48h] for 32Bit apps)' K5 ]$ e" B& C, C; {+ |' z
__________________________________________________________________________8 {: P' M3 x. N. m
7 Y6 v# a M: H# W3 N
5 O) k0 G- k; Y, e8 x+ x* K+ m/ R6 GMethod 08
, @5 R% o$ i! y+ g=========4 ^6 k( D& }1 A4 F& [4 U/ l/ q& y7 T
* R: g! s% p1 N6 i% w3 D9 I
It is not a method of detection of SoftICE but a possibility to crash the
2 e+ X; {3 A7 g+ lsystem by intercepting int 01h and int 03h and redirecting them to another
- g/ `, a5 G/ _7 F, I! f6 Rroutine.; P" Q; r/ k+ I7 g) S7 ]4 K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 q! x; I3 _+ F8 c. e
to the new routine to execute (hangs computer...)8 h9 q7 m2 @% v" H6 P/ v
: n& \4 @0 P+ W& S1 T mov ah, 25h
& `% I2 P0 G6 _2 t3 Z' ? mov al, Int_Number (01h or 03h)
- M" G% J$ x9 K4 c% a. o mov dx, offset New_Int_Routine" _7 X- J8 {% _
int 21h
& K" m2 v4 ] `! M
: z: K0 ?( }; u% P__________________________________________________________________________4 L8 ?5 ~* n: a' N$ ^* C2 W' C
7 |. ?' h' w5 a) r) I3 T
Method 09
8 l+ l c& v, M+ I7 z6 p=========
. h, z+ ~5 L- q8 B- q5 O% X4 Y, W6 o3 K/ e' x) J8 h* ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% d7 P+ b1 u$ l9 w9 h$ Z9 P7 u3 \; \performed in ring0 (VxD or a ring3 app using the VxdCall).
2 M1 j) E1 S* w ?& ?1 ~3 Q' e& W$ [. aThe Get_DDB service is used to determine whether or not a VxD is installed
; N- v% k% P- o; r: s7 dfor the specified device and returns a Device Description Block (in ecx) for! ~; G. L# ~5 |7 h6 X2 _
that device if it is installed.
3 `3 ]# C! _5 T5 t) J& a: X, k6 t; Y2 U9 Y( E0 x0 ?0 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% ~8 f% L3 [0 T, g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 f) s C' t* x/ d" G7 p VMMCall Get_DDB
$ w* D$ L) @% p1 o/ K5 W. R' E* q# \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: W' Q& {5 D) ?
% v/ X: }3 W5 g! g, A3 iNote as well that you can easily detect this method with SoftICE:7 P: g7 t- g$ _ |
bpx Get_DDB if ax==0202 || ax==7a5fh
: g4 B% G0 A4 M: ^
2 k1 R, X2 t' N c0 _. R__________________________________________________________________________* L# h. J0 k6 y& P6 I; h
7 x$ D5 i, n7 s7 n4 v. L( w! CMethod 108 `5 _+ P) a5 n8 {: Q' @& E# y ]
=========
& p6 [/ n# a$ M8 ^: B! R1 A+ V1 M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) B% G. C# [& Z SoftICE while the option is enable!!
8 L& p( o( K& R' n* B. P) Q- X
- C' ?3 A6 h0 P/ v0 N. ]/ {- K7 kThis trick is very efficient:
3 j/ @5 [/ j+ n# lby checking the Debug Registers, you can detect if SoftICE is loaded
Q7 [* ^& F9 s% j# u! X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* D* N/ e4 Q2 q5 G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; x. f# ~% H( r# bvalue (in ring0 only). Values can be manipulated and or changed as well
* o z1 s) c( d" b" l(clearing BPMs for instance)
7 ~ F' N: S2 b( P
- f8 {* k) m+ s }2 L__________________________________________________________________________
4 W$ G; R% h3 y, {
0 x! T! h C% x% h; U! yMethod 11% K: Q) v# C7 `* Q" {3 e2 v% ]
=========
$ D% d7 G. K; z& g! O" l7 o" n1 U; V- [8 F( J& u% X
This method is most known as 'MeltICE' because it has been freely distributed
( {9 C& E; \& Cvia www.winfiles.com. However it was first used by NuMega people to allow. Y% p* q4 a9 m P
Symbol Loader to check if SoftICE was active or not (the code is located
) j% j4 o! C, Q8 u5 |inside nmtrans.dll).: Z3 C1 t7 X; s1 A6 r
j3 j1 T8 V# o5 SThe way it works is very simple:0 ^. f: w: h5 k# g- e. ~$ t0 _0 I) O9 k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 C* f6 m+ {* i) S" R# HWinNT) with the CreateFileA API.
* @ D% J5 D0 ^7 b4 b+ x( u4 m: q! g8 j6 |: q) U9 S
Here is a sample (checking for 'SICE'):$ ^6 m/ X5 S& Q& V4 Z+ C
! r6 k3 x& {& R. d, m5 d# nBOOL IsSoftIce95Loaded()
! G. v Q* @4 r( r _* m k{
1 b( O5 y2 I$ m; I# |6 | HANDLE hFile;
) `. O# |5 d, a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: ]0 V7 |+ Z1 d$ y- I$ {# z
FILE_SHARE_READ | FILE_SHARE_WRITE,- Z$ q4 N2 O+ R) n* d1 \: R1 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) V9 ]0 b+ Y! y6 S if( hFile != INVALID_HANDLE_VALUE )
1 K' r' |; X) @* I8 c! T {
/ |4 \) l% [9 y' z' q0 d8 ~" f6 w CloseHandle(hFile);
& r( S! u% f6 Q' B return TRUE;
+ }2 g v: U: `$ n2 A! P }* R e7 L. F. C
return FALSE;" _8 m# `: j9 n6 R" d5 _+ g% U
}' J9 w8 v2 @0 D4 b5 n
# u9 S+ G$ X( E& u) ^2 F, ?, I
Although this trick calls the CreateFileA function, don't even expect to be- Q L2 }# b' U$ q
able to intercept it by installing a IFS hook: it will not work, no way!
) ?& Y7 v; m9 C9 p8 Q2 t6 o nIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 z& C! D+ `- O' ^3 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% h, |) B+ n( ~( v0 ] |3 |5 Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 Y+ O+ | v& k: ]8 ^! D
field.
* \2 N/ g! p, @5 D( kIn fact, its purpose is not to load/unload VxDs but only to send a
( _' n: V- w( O; U2 c% jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 s7 m% \! v, [* _9 ~% S& c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: b; G6 U* v: `* m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: X. K+ F5 E! [
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 \1 d2 B+ M8 _! S0 y' y
its handle to be opened and then, will be detected.
; d; J. t$ |; j, f# NYou can check that simply by hooking Winice.exe control proc entry point
# }9 {0 k+ Z7 Y; R" t0 zwhile running MeltICE.
& A+ K1 ~+ R1 E9 H( H5 W6 B. ^' e7 O: M! H# c
5 j- K' o, Q6 e d 00401067: push 00402025 ; \\.\SICE
4 V* H* V5 F$ x3 l6 s- Y7 i* U 0040106C: call CreateFileA
d# o6 j. a' }6 L/ `! x: f 00401071: cmp eax,-0012 O! }/ K j2 b0 h% S0 _
00401074: je 00401091
7 D) z, r% S, Z V
, {) M! w0 E; O/ S1 P0 O. h6 z1 B& Y( `
There could be hundreds of BPX you could use to detect this trick.
4 O& \2 h" ]; {- B-The most classical one is:9 a# s1 _( r! i# |2 S4 y" m0 W! _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: @% h' p! G6 Y* D *(esp->4+4)=='NTIC'8 E" I% g& D3 C* g# a% o7 d" f
% V. w( [- ?' j
-The most exotic ones (could be very slooooow :-(9 s7 H: e0 N- M1 T+ K! r- s/ W0 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ x& W+ Q. _1 D# g n ;will break 3 times :-(& s) t$ ?/ ~/ n1 K, y! v
5 J6 q' m% g! c7 E
-or (a bit) faster: # x0 ]. ~% Q3 N. G+ Z: Z# F) ~7 a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 T( x& Q9 r7 ?! I, P" N+ p- p3 z1 ?7 Y Q; P% N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 B) m6 M; f* o! O% ]( R
;will break 3 times :-(
* B) U f5 @, q/ p3 Z! j, w& C f/ J8 d' R6 f5 c& _
-Much faster:( v8 Y' V- E1 ?5 [4 Y6 b( z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 ?" k$ u+ h7 F F; Z/ P& Y" l# i4 w7 V0 ?0 X6 C% _) g( O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 T8 [. I x& D
function to do the same job:
2 ~' S) N& ^9 g+ G5 w6 e! t( o) z' p, l2 o4 K( z7 C8 t. G
push 00 ; OF_READ
7 }: a1 K. S! D/ |4 n mov eax,[00656634] ; '\\.\SICE',0) i* h$ S* D! i
push eax# b% u; q' d- _- D- z0 n% s4 d
call KERNEL32!_lopen
- `1 t) b# V4 k+ j# U inc eax
" S s, T* v0 j jnz 00650589 ; detected4 d' p* ?& A5 Y& m1 Q: t
push 00 ; OF_READ- R$ u. X+ I! c+ Y8 W
mov eax,[00656638] ; '\\.\SICE'
P* |- o" h$ S+ d push eax
9 l3 \5 ^5 ~4 z$ z/ R3 Q" X call KERNEL32!_lopen( B3 U3 ^' o) H: A' i7 u
inc eax
0 o! n l3 C& v. ^- l6 | jz 006505ae ; not detected( ? A* m. r3 Q$ ^
9 m7 ^9 l. Y( J1 |4 p7 r5 f
, k5 e: A; B( u/ Q$ y__________________________________________________________________________5 C; q; d) l _ `4 w9 t
+ L4 K! @! \" k( }9 n
Method 12
/ j" n+ }7 H z. ~% J3 C5 E=========
1 \( d% m. i% J3 t$ e! `8 O/ W& d7 l& c7 N
This trick is similar to int41h/4fh Debugger installation check (code 054 \) F) ^) ?% h. I. a
& 06) but very limited because it's only available for Win95/98 (not NT)
& b8 x1 e' [& Q7 k8 P+ G4 ?( Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% u- g* K0 h1 H6 t1 ~$ y. @7 A2 X R3 a! ]( K
push 0000004fh ; function 4fh
+ W& w$ N1 a& f push 002a002ah ; high word specifies which VxD (VWIN32)
7 W6 C7 w0 p7 C, \0 Z# f ; low word specifies which service, F: R# Q. ^# s* b" c t0 f& t
(VWIN32_Int41Dispatch)
4 T; M1 ~0 _4 [8 p6 W3 J call Kernel32!ORD_001 ; VxdCall
* U3 V ^% G9 Y j# f5 o cmp ax, 0f386h ; magic number returned by system debuggers
7 d) c' Q! J6 @ K, a1 h" d jz SoftICE_detected
7 W* |. b: L) W6 t+ X$ t# v
4 ?* k$ U" T' G7 |7 lHere again, several ways to detect it:
/ j$ I& D" p# o% n4 q/ X/ P5 F
% |. b4 y* y7 d6 A/ F$ {9 h, [ BPINT 41 if ax==4f7 {/ x \+ g3 O1 Z
2 I0 b E! x- {0 e5 T$ ? w1 C+ } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ u4 l/ e# V$ j+ {, G
+ k; H+ K( L u9 N' g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ `: d. G3 n! w
& {3 k# o. k- Q6 P- r. a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 u1 \# P0 f! k* t1 ~
9 u5 K3 l/ c ]8 v" d__________________________________________________________________________8 h" Q0 q3 R/ c6 \# D
) a; l9 p0 W3 H0 l4 h5 x0 EMethod 13( O$ \8 J& t' ^7 C f3 J3 ]
=========) J" i" c1 H3 ]" T, r' W2 f" `
- p) X; w( l, m: R2 oNot a real method of detection, but a good way to know if SoftICE is! w0 J6 K. j) O, S5 m
installed on a computer and to locate its installation directory.# ?3 O( _: {# f; n
It is used by few softs which access the following registry keys (usually #2) :
& O3 @2 h/ ?, Y5 G# ^# l2 {, F+ T0 u8 p- l# c3 h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- j) ^3 C6 F& w2 f
\Uninstall\SoftICE/ M, k- O0 J1 f" P% o K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 {1 N! z2 H. y! U3 v/ [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; ~( K/ T5 g* R& [\App Paths\Loader32.Exe. g& M2 _1 m. j- V" Z! Q
3 D9 [7 w! r- p- x
$ M4 p: |0 C0 G8 I b3 Q
Note that some nasty apps could then erase all files from SoftICE directory
& r. D" T8 |' ] K(I faced that once :-(1 u$ J) H Z- c, k6 C7 c, q7 N
+ t; C! X$ [) d& G2 m5 G5 K9 rUseful breakpoint to detect it:7 c3 C/ w' N8 B( J6 \9 e' ?
/ Y) A4 C& `" c7 T9 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 m1 g1 c& n' F* j
4 l+ \8 {( M2 I1 _4 C) ~9 p__________________________________________________________________________" l( y6 n/ u9 Q7 k
7 P, o; r" d) ~9 W$ `2 c. d j
/ U5 j( I4 C+ k1 e0 S( F2 mMethod 14
0 P5 L: b3 E$ i6 }8 K1 y! |4 U4 m=========
8 b/ A7 Y R1 N; g
) d/ E% h7 k- [: V8 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; I; G, b$ u; `4 U: Pis to determines whether a debugger is running on your system (ring0 only).
6 ^! c8 I* Q' s" C
6 r5 h$ v0 Y& I/ g VMMCall Test_Debug_Installed7 j( f. x1 l8 |, ?
je not_installed6 {8 Z8 q' U( |# R9 }2 k
& C' e9 n8 d7 Q C
This service just checks a flag.5 i& a/ {6 P2 B1 Q; v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡