<TABLE width=500>
: W1 `1 u* ^2 X! z. \: w<TBODY>+ X8 B0 U* k, ?( A
<TR>3 c$ D3 u/ Q" q- ?, O3 l! |% e
<TD><PRE>Method 01 * x3 L8 I/ [* F( \4 D4 w' a
=========4 F0 E- s% H4 `& S3 }
2 K/ ]1 v. ]$ k, Q, c; U5 @
This method of detection of SoftICE (as well as the following one) is" d& G( i0 _4 d
used by the majority of packers/encryptors found on Internet./ h O- g8 [! f- x% O% G
It seeks the signature of BoundsChecker in SoftICE
1 l2 A0 ~) t4 U0 G7 S* `
! |) | I. J7 O! k N5 A mov ebp, 04243484Bh ; 'BCHK'+ g5 A- x+ x& f0 Y
mov ax, 04h+ C+ O7 W7 _* _( `- J
int 3 ; @6 w- K- K4 |% x2 _; u8 S1 n
cmp al,4" _$ Y4 o; l3 o. o4 h
jnz SoftICE_Detected
4 ]. J' @* r4 d" x
. k; m# @6 I9 `1 S$ O7 {3 e___________________________________________________________________________
+ j" j) h, y# u1 l, h) A6 i) @" o j0 e& g
Method 02
# _) n; e& b/ k& W. l=========, z2 W" H) `6 F+ ^8 a
" u4 ?3 l$ N; pStill a method very much used (perhaps the most frequent one). It is used
5 M' K4 J! p3 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints, D3 ]. }& K; a* P0 T+ b5 F# x
or execute SoftICE commands...4 Z& q# {, D m0 S/ e
It is also used to crash SoftICE and to force it to execute any commands" [! C' q! r8 a: Z
(HBOOT...) :-(( 9 K; W0 \3 w% k! T- N% }
Y# n8 m! w- p
Here is a quick description:
, ~7 ]* z/ P5 ~-AX = 0910h (Display string in SIce windows)' l9 m( N5 h5 Y' D4 W( e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& C* w! M: M9 W: h, |
-AX = 0912h (Get breakpoint infos)+ g. r; [4 r; e
-AX = 0913h (Set Sice breakpoints)" [; I& L* j. f [: y
-AX = 0914h (Remove SIce breakoints)
+ D5 r. ]! K% P5 c. i( V
5 l/ x) h, |: ~* t& P. n6 ]Each time you'll meet this trick, you'll see:
8 B3 y1 e8 O# G-SI = 4647h% G3 `+ ^6 ? ? J/ A7 @
-DI = 4A4Dh
6 }6 T4 H2 j6 d+ `5 w7 P! kWhich are the 'magic values' used by SoftIce.
4 k/ ?3 M3 V3 ~- j( I! z) PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# C" t$ c+ O9 [$ S5 L8 V! Z1 R
; E4 g$ P3 l: j' xHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 u/ C9 _% k$ V4 o' f8 {Envelope utility use to protect DOS applications:
- b! o1 N/ V' n$ R$ _1 s; O
+ Q" V. t, X% U3 c2 m+ m ~8 m5 J' [/ V. M6 i/ g! L2 U
4C19:0095 MOV AX,0911 ; execute command." O0 O" B; o' t6 M* z. ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: G) [/ L, V0 n! I) f4C19:009A MOV SI,4647 ; 1st magic value.' l# ?8 R4 ^( c5 a" K
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 W% r( L7 C# \# R$ u' M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 _$ m. D' }. z8 `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ?( t: r9 S( X! d \- c4C19:00A4 INC CX
Q7 H) N+ U# Y: H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& m4 G k( L8 \" _: T& f' a4 w
4C19:00A8 JB 0095 ; 6 different commands.
3 N( j8 Z+ x. L, u9 w$ D. x7 z: C1 t4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 K) P1 o: P: v( ?( ]+ V, j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 ]! X' F% \* @* I2 B- U! M* `5 b! _
The program will execute 6 different SIce commands located at ds:dx, which
1 f4 \3 W& Z% q+ ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# @$ J: V3 D: s
% u6 N0 {8 p& S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: \. Y- V5 q/ F0 N___________________________________________________________________________* I( I; G0 O& m, ?4 ], N( o) Z
( i* z# o% x/ C# c
4 r- V" b( p R9 ?4 o5 J% d; u, U8 eMethod 03% k0 `7 n$ `# g9 L
=========
& n; o, j6 k9 S! B
* K& n1 x( A& L. Q( x* OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 s# p+ h8 ~' y1 T(API Get entry point)
) R8 G0 j, `' [. Y7 T
7 \- Z' R/ R, |5 i
+ k: u7 @" ]) k" r xor di,di t, g; ?' M) a/ |0 C% G
mov es,di* G7 _# {8 p# q- d( i
mov ax, 1684h + d% f* N% i |2 n4 U- |) A2 `
mov bx, 0202h ; VxD ID of winice9 s$ r9 j6 l0 z2 u- a
int 2Fh
4 j3 B4 K! I) q# c: J9 z mov ax, es ; ES:DI -> VxD API entry point9 @8 X! g( m' Z& s- t
add ax, di* ?/ `. s% g5 y4 @* a
test ax,ax, v7 Q3 a7 w3 h& C7 B/ s+ h
jnz SoftICE_Detected2 n3 z" J6 P. _& O
, B8 ]8 o' p9 G$ n9 }
___________________________________________________________________________
/ n3 ^5 W% w' M$ T( V- |/ m! T! D0 b4 I' h6 |1 e
Method 04$ g& Y) f, ]8 {: ?6 \/ B
=========/ w. d4 n. L$ a c$ A h7 @+ A
# z5 h" R6 D0 Q, z- L$ K& u
Method identical to the preceding one except that it seeks the ID of SoftICE9 y7 n3 f# c5 s: J- p* y
GFX VxD. n1 D* m; U& e s
9 n* x- q" b% s. ~, G [. o7 `
xor di,di
. A5 \8 E% A! M$ F& R mov es,di5 t8 U) X4 Q6 q5 m' m3 _
mov ax, 1684h / v! a& G$ f+ ?% \: y5 X
mov bx, 7a5Fh ; VxD ID of SIWVID" U5 C: h4 N/ Z. A) d
int 2fh
3 `4 U5 U8 u- k( }5 G) I0 O0 p mov ax, es ; ES:DI -> VxD API entry point
6 z$ C( g+ ?$ y. R8 B+ i: Q! p add ax, di
9 u8 l9 h, u6 Y3 P! P: S1 q) o test ax,ax) @! }% a8 `2 s9 k
jnz SoftICE_Detected
' w+ d( J# n& x0 w; w- Q' X0 p* D% i
__________________________________________________________________________- ]6 I( j0 m: S6 }$ O6 b4 ?
. r0 t& U& S3 D$ t8 i8 d" K* U9 F* ^% l8 t7 a- A' n7 d: B
Method 05
7 l& R" a" r# I2 k" ~$ t0 I=========
; Q! W: ]) j' I D) _3 f H9 i( Y$ ]0 l6 b9 V
Method seeking the 'magic number' 0F386h returned (in ax) by all system- c' `; a* r) W& [3 k
debugger. It calls the int 41h, function 4Fh.8 S. m6 t: j! i
There are several alternatives. & @. D- N: E: L0 K
. ^3 w- p& b# |1 _" {$ Q: aThe following one is the simplest:
% f1 o2 W l! |1 a
3 f+ R( r7 r: i0 G+ ~# ?3 W mov ax,4fh/ a- Q. b1 r' F! |
int 41h% X6 k+ |* i6 F" E3 g( Z, W
cmp ax, 0F386* v# v9 }+ c9 H" G j; i7 A
jz SoftICE_detected: B; w/ \( @4 m/ A0 W4 w; s
8 w& b; Q& l" ~5 k2 O' P) B- Q3 d' Y
9 E3 S8 s1 w, ~Next method as well as the following one are 2 examples from Stone's
; c$ d+ ?3 t9 z/ z T# I: W" r8 y4 v% I"stn-wid.zip" (www.cracking.net):6 h% ] n% o: b! E1 b
# i/ T/ D0 C# ~4 y6 S& ]9 J3 X# k, V mov bx, cs
. H# s' z0 N+ ~& U% V2 P9 e! b lea dx, int41handler2
6 x+ x8 C: ^ R: y xchg dx, es:[41h*4]" `. V* R1 R$ `9 v( i
xchg bx, es:[41h*4+2]
) D& D% k+ {/ ?6 N! I mov ax,4fh `! u4 C% ~# p6 n4 H8 X5 j% d
int 41h3 I1 y0 M9 x; {; m7 U3 a
xchg dx, es:[41h*4]! ~$ ?' B7 q% L, \
xchg bx, es:[41h*4+2]
. i& @' z3 C# Y2 J6 [1 i# W cmp ax, 0f386h6 C+ c, s4 [9 l J
jz SoftICE_detected4 ~& z2 L( w$ N* x. A9 Q, l
4 b z9 o3 b+ L. C1 Aint41handler2 PROC- _$ }0 M% j, B
iret$ t' B; T* d/ C" I# x. K+ `
int41handler2 ENDP
* u: ~8 `2 [* `4 q- y2 i/ \ D% H( C; Q ]; z, A; q; H* h$ l* |
' u: f6 U4 X4 P1 r1 S_________________________________________________________________________3 v* ~+ x, C) B' |9 G+ O+ N6 i) H
9 {& b& w& Z1 V3 l
/ Z, u7 o: l+ u! \( l2 WMethod 06( i: a( [8 f& b* e0 l
=========: ~7 f5 r) Y$ ?0 D! a+ E
! x- q& [; v5 ~2 }3 B
( `0 I1 D8 G- `- A! Q! ^7 c$ b2nd method similar to the preceding one but more difficult to detect:4 I: `) B1 v$ `3 f+ O; P
9 Y8 I7 U" {/ S* l4 d, c
6 [: _4 U, Q+ r3 Fint41handler PROC' | z/ D* h8 w
mov cl,al. Y( @% ^5 U( [
iret( O& G/ W+ z" l+ U8 \; |
int41handler ENDP
8 f" u6 u+ J2 X7 {5 o; _7 s4 q! p5 {) O8 O
! t4 n' G; D8 i0 G& L/ S
xor ax,ax4 x: G% f+ _8 v [ s- {
mov es,ax0 y- z4 {" B: d! }7 E- T8 n# A
mov bx, cs
% a1 z( T: R( Y) x+ L' i lea dx, int41handler6 o% Z5 M+ K. O
xchg dx, es:[41h*4]
5 ]' p7 B) Y3 W: b' s3 H xchg bx, es:[41h*4+2]
7 c; a/ @$ ?5 `3 |* N5 c in al, 40h/ k# }1 ~. m% {
xor cx,cx
1 ~7 J" w% ^; j9 l& K6 |& u6 [ int 41h
4 D- S5 R m. r* H xchg dx, es:[41h*4]
+ I3 }) S$ \# F3 h1 @ xchg bx, es:[41h*4+2]
3 o) w9 [$ v# ?8 |, ] cmp cl,al
, m3 R0 J# b( m5 P jnz SoftICE_detected
`4 E( F8 h6 K
3 d. Q! ~$ s2 \& R8 F_________________________________________________________________________2 B5 G! }8 g8 P+ o5 i
: e) Z& T7 ^5 X4 x2 l( u' H
Method 07
9 K) `! T' h! z* |+ S1 V2 o& m=========
$ Z* w! w: {0 E- S6 v1 {: S9 N+ z0 {' Q* y' n
Method of detection of the WinICE handler in the int68h (V86)
! m' F9 M; }- O4 \1 y. [% d& u( n6 }- j
mov ah,43h
* Q* j E+ L$ ^ C9 |7 ?' P int 68h- o( T/ [! d; x0 B. ^
cmp ax,0F386h6 W+ x r; h! X6 }& p$ q+ F3 f
jz SoftICE_Detected4 Z* H. j G6 o% [* o4 W; [
6 G: b4 m2 B1 E W6 w6 J7 I0 w
9 R" r5 X+ F% E0 N% m& s! E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" j5 x8 H* I# I. V
app like this:
% h6 R" \/ u1 A
. ^4 g0 Q, O4 q: } p BPX exec_int if ax==683 m( w K. ~9 b3 P& p
(function called is located at byte ptr [ebp+1Dh] and client eip is
- ?6 d' v f* u0 N% N3 b! V located at [ebp+48h] for 32Bit apps)
$ l4 b" S/ R2 h7 p& w; H' H__________________________________________________________________________
- |" C0 y; Z9 \* j; k! B! c$ l6 X; v! c. o
' K! {) R8 p; H* E% Y9 TMethod 08! }; j8 u7 V7 i( q& ^! S
=========
& K" C& G3 H7 d. p- s" K" G/ m3 E3 t) f& R
It is not a method of detection of SoftICE but a possibility to crash the
( s" O3 c( Y. C; N/ D2 xsystem by intercepting int 01h and int 03h and redirecting them to another
: z0 Q5 i+ Y. Q; d! x6 Zroutine.) t9 E. M) v2 ^6 W7 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ B' w! b) F9 T( Z9 e+ gto the new routine to execute (hangs computer...)9 G0 Q) t- R9 k/ B5 i: ^5 k
" n$ ^+ M2 X: t8 a$ D
mov ah, 25h
! m* F% _5 h' p mov al, Int_Number (01h or 03h)
: o. V% c2 _4 n& f$ }. i$ |2 [ mov dx, offset New_Int_Routine' c" @. e. s9 b! m+ j
int 21h
' i/ H& P( j: i
0 q9 f4 `6 m5 n n2 M__________________________________________________________________________
4 m% Z* h2 [8 D! A5 ^4 F
, f) v. e- u4 J+ P8 u, iMethod 09
2 e+ n+ M) j# e7 T( ~$ ~0 ~0 g=========
: M6 k5 u& E& G& T o+ ^: }9 x5 c6 y7 g0 l# Y. _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ X& p. }8 }0 E. v+ Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
; a: ~! B) k+ o0 R! y/ e% K/ gThe Get_DDB service is used to determine whether or not a VxD is installed
+ N: I6 i+ ^2 g6 D# Jfor the specified device and returns a Device Description Block (in ecx) for
+ g: L, c/ g- }4 _7 Xthat device if it is installed.
! c3 G f* I0 p9 R0 s2 d+ a9 a& `1 n4 ^* a: @. w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 C/ s q6 j2 q5 B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* O3 i% g" V6 S9 B, V& u8 J
VMMCall Get_DDB! Z- t) X6 w3 o8 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, b( j; @: _9 i9 k$ B+ x) ~; W4 E# G$ m8 [$ s N
Note as well that you can easily detect this method with SoftICE:
! G$ r _4 v4 m& E5 e3 K bpx Get_DDB if ax==0202 || ax==7a5fh
, m5 M$ r& r3 l$ z
- x! `6 o% ^" ?" e" n( E__________________________________________________________________________
6 N/ b( A R. C$ ?3 S' E8 N3 u5 o8 k+ U7 t
Method 10
2 X7 p* R, e. N7 @# o=========
* m. \: V, ^6 \3 Z% W# G) g8 e' _; [- s9 f
=>Disable or clear breakpoints before using this feature. DO NOT trace with& @' ?( J$ H- @# Z4 b" j
SoftICE while the option is enable!!/ I5 |% g4 n4 L
7 v: L3 T N9 c7 t0 L
This trick is very efficient:! i$ d# F7 I% R" j) K: O `5 f$ v2 L; f
by checking the Debug Registers, you can detect if SoftICE is loaded
- ^. e: d5 O( ^) P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) r: N1 Y3 Q& a) [+ y( A9 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. H6 c& Z0 v* rvalue (in ring0 only). Values can be manipulated and or changed as well
! ]' S, W$ c5 w& z(clearing BPMs for instance)! j; T# D1 p# ^7 k
9 v! x. F4 W# |4 n/ L2 Z0 T I__________________________________________________________________________
7 e' K8 J. a" Q! E, q' w8 e4 `' |- y {" ?+ u+ y
Method 11+ u( B* |* A; D! A4 N5 {
=========
3 o F4 }. h$ F* `2 _ Y7 X# _7 N9 p
This method is most known as 'MeltICE' because it has been freely distributed
8 p% ~; I3 r0 }' R) Xvia www.winfiles.com. However it was first used by NuMega people to allow6 w, }; z# |3 T
Symbol Loader to check if SoftICE was active or not (the code is located
3 l) r t @9 A& k0 N% xinside nmtrans.dll).+ O" C6 Y$ k6 Y. q" o# q0 o0 J3 m
* t) z P) E, s F7 E7 b7 GThe way it works is very simple:8 x! V5 w, R" ^( V( y8 Y6 @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ Z1 v. U/ O4 M) s
WinNT) with the CreateFileA API.
: r8 F1 `' r! L3 M m* S% A1 q- R1 o5 J, \& J7 r3 m6 F
Here is a sample (checking for 'SICE'):
- `8 d6 L8 ^* x0 P, Z2 z: @
" q% m! A3 @7 Y9 M- v# }BOOL IsSoftIce95Loaded()
( o/ ]2 {6 \/ w) G+ ]( N{( I0 g; x6 c! V" p6 I8 G
HANDLE hFile; 7 [( h$ h# m8 }: m1 S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 N! Y9 d% j; O
FILE_SHARE_READ | FILE_SHARE_WRITE, n/ q W' M3 ]6 r; U" @0 O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 ?4 Z" `& V, `" M! ^ if( hFile != INVALID_HANDLE_VALUE )
+ G3 r. Z+ M2 `- t- s1 ?1 ^ {! @, ~% V C o2 ?" R$ G
CloseHandle(hFile);
4 ^( P! P: F A$ {5 ` return TRUE;+ t+ ?* z/ W5 h/ ?9 T' o
}
2 @4 A9 R( C. v" { return FALSE;
7 _1 t3 K9 B4 `1 @4 c8 o) L0 W}
7 D$ z7 Y- E) \( w8 o1 z: p. ?9 r& U, f, x) k$ d) v
Although this trick calls the CreateFileA function, don't even expect to be
2 A: k$ f. m; A. s, Kable to intercept it by installing a IFS hook: it will not work, no way!; J' v+ `0 S' T! H3 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 l( o' X- d, {# O1 h9 e6 r0 u) G, Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ I4 a- m/ \/ \1 P" l; _+ d- W7 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' P) t( o# u8 K; c5 z" S
field.
8 }# g; g$ c* r- Z# W9 f, U* DIn fact, its purpose is not to load/unload VxDs but only to send a
) \/ y \$ [3 K* G. c( O0 s& wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% |( u. D% Q9 }: \4 Z; u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 B' B# _$ H" e$ P8 o& }1 n1 S% qto load/unload a non-dynamically loadable driver such as SoftICE ;-). Z2 I2 x5 H& [8 p# n
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 c& o$ T' k% k
its handle to be opened and then, will be detected.
, H/ O0 J4 ~& W" v/ zYou can check that simply by hooking Winice.exe control proc entry point
0 B7 ?3 T9 p4 u# |3 X4 o+ Y0 uwhile running MeltICE.: H2 W) T6 w5 w+ h4 x
0 a0 T& |/ G7 B. y5 d" S# x3 H
- g5 d) p1 U3 x% o* { 00401067: push 00402025 ; \\.\SICE) Q4 p' N0 W) R+ [' L4 f$ G
0040106C: call CreateFileA$ ]+ {( e; J1 e3 R, o. l6 o2 H
00401071: cmp eax,-001' u$ v% d9 F$ d; U( L6 ^9 Z
00401074: je 00401091
2 N4 W% X2 f$ }0 W( |3 a |; t) e- |
$ s; f( u0 | N9 V
7 y* F6 h" \4 tThere could be hundreds of BPX you could use to detect this trick./ ]! v8 F1 ^/ Y7 z o
-The most classical one is:8 U% o6 K5 s- Y+ N) o2 C- E: g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 n* m- v. m/ r4 R! }+ i1 I *(esp->4+4)=='NTIC'8 j2 }; I( o0 W, C( j+ ]
1 X# k9 T- ?# d$ w" i* J- P-The most exotic ones (could be very slooooow :-(
; t3 I" |) H3 y& K, f; o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # C9 [9 s; Y/ @
;will break 3 times :-(
% X+ Y2 ?: T4 u8 X: E; U3 Z* Z$ N- D: T
-or (a bit) faster: 6 z5 T: V: v1 q* }4 i' o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, u' k) c! O1 P: E0 F6 z, t% m
# i2 x& f6 N7 j3 H6 v7 e/ a0 @0 T" g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ K& `' A: [6 v6 m1 x( y ;will break 3 times :-(" z0 g1 h: o4 }8 X5 @2 d
# o6 u: V ^* o* R$ R
-Much faster:$ ^3 c1 ~' L* E& q% }# A, \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
m+ D- m6 E2 F f' `6 i$ I" f M5 v
. c7 `5 n C0 a N. g6 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* g: S$ m* e8 Z& vfunction to do the same job:3 q) |. f m( n; D0 s
3 T( A! P3 y+ F6 G5 E4 H
push 00 ; OF_READ
4 H E5 o/ E/ G# A mov eax,[00656634] ; '\\.\SICE',06 O. F+ l) f8 e9 R* P* \
push eax
& x) \6 W% ]. f$ w! R! o* P1 W4 A call KERNEL32!_lopen
! D: |# V/ G# i# r inc eax
$ b' [. M0 w3 y5 p+ U( `8 i jnz 00650589 ; detected7 Y5 |: `% A; T9 h# S" ]) W
push 00 ; OF_READ. \" t/ d4 U$ L* o& A4 c
mov eax,[00656638] ; '\\.\SICE'; o' A* |$ Q( e
push eax7 V, y4 ` m) L7 M9 \
call KERNEL32!_lopen f& i7 q2 V6 N7 l
inc eax n, S y* S) y. c* S5 @# Z
jz 006505ae ; not detected" H; m5 K$ C1 C% j
+ B3 g: @ N4 S. v
7 f% z, D+ Z" |, }, ]__________________________________________________________________________% [" y w" D# \0 y C
, D% r4 Y1 J# F( B- I* ]% c) ^+ a. q
Method 12
1 q1 x8 \' ^" }, [3 L3 H=========
+ g n1 k! D" E7 P3 B2 W8 D" T5 d J
This trick is similar to int41h/4fh Debugger installation check (code 05
- q) H" a+ C; [- D) Q$ q/ d- d0 E& 06) but very limited because it's only available for Win95/98 (not NT): D0 m) `5 [# f# M3 i, n9 y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ d' K/ x% @, u8 R- s3 A
. D% X# |0 C0 B, T5 r1 g4 C push 0000004fh ; function 4fh5 x: m: h& O H" t" R5 z
push 002a002ah ; high word specifies which VxD (VWIN32)
( f$ F% g3 @" D ; low word specifies which service
4 c& I7 D$ j3 C1 _/ B3 z5 y- G (VWIN32_Int41Dispatch)6 s1 Y! f' y; Y' U( R! a" @4 P
call Kernel32!ORD_001 ; VxdCall
/ G# `0 z5 F7 r9 f; y) l cmp ax, 0f386h ; magic number returned by system debuggers8 u" E3 a2 D% P9 y1 ^
jz SoftICE_detected, b# [( m7 M' U: s
! k, q* P5 ]2 V( x% b X; |
Here again, several ways to detect it:
5 X4 I# t) {9 I$ e5 f- L5 W1 ^
BPINT 41 if ax==4f
( @7 n. u6 J$ x0 E- ~' U: l( H! T
% v) }4 l$ ?* ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 j8 o) o1 ~9 L# Z0 C3 x6 O
% s7 g% w; o( N9 b% M/ ^3 ]/ q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 y' Z- K- p) r" Y% e. T+ H+ g. j3 [9 H* ?$ j+ T, o0 N2 K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) I3 M) h8 {$ ~2 m4 H$ }7 ?; A6 b0 k7 K2 ?6 [: h% d
__________________________________________________________________________0 X+ r! q1 f: f2 {: E( h0 J5 r) h' ^
9 x; a' e; D2 G9 ^6 g* ^Method 13
% C4 \0 h. i0 b6 z=========& e5 @) n/ {! e8 e& c" ]4 B. K
) p& Z7 n1 T4 ^' x& T
Not a real method of detection, but a good way to know if SoftICE is q8 q" C I& v9 L# E" Z1 h
installed on a computer and to locate its installation directory.4 v4 e- }: w7 K3 N9 `5 a4 V
It is used by few softs which access the following registry keys (usually #2) :
* a8 i$ u) b9 M# Q! l' T+ d. G0 D/ y6 w* Q I$ T4 h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 M5 C- a/ Z1 L+ D2 f
\Uninstall\SoftICE% g0 n% q9 }; ~( @1 X8 j5 D7 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! i- a! O7 \2 K) ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ~/ N J( r7 B; v. O: W0 f& S\App Paths\Loader32.Exe( g2 ~( A/ o4 m6 `& Q) k7 s
" N9 b, q9 }6 E8 D: } m7 P
. X8 O. b8 F, `0 ~# ANote that some nasty apps could then erase all files from SoftICE directory1 W! b$ U5 h: h, P3 i9 Y
(I faced that once :-(
4 p/ _# ~% n; S% s" }" z- H" J
8 F/ t. x' a" V+ H' S' V9 E3 eUseful breakpoint to detect it:
5 A" w5 f6 t7 G; F& V- H8 }% x
! T5 m% W' }4 b) |% B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) A* ~; M7 _ n# K$ g/ e5 D9 N% r. ?9 }' A
__________________________________________________________________________9 N" B/ W9 w: M$ n0 r
/ H4 {! z# f" N/ y; W) j R' P# x- s X% e% c
Method 14
+ m2 z: k% Z3 R8 i$ T C; }; k=========5 W& X* u2 N& ] v" k; z
, J- g2 W0 u9 g& B y: a5 ?7 z- h2 @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. u0 j! @6 l) k% Cis to determines whether a debugger is running on your system (ring0 only).
# P5 T( N6 C& {* ?: ~+ |- A+ z0 e& G! a. h: G# y
VMMCall Test_Debug_Installed/ w1 D- H0 A! C8 l, }
je not_installed. a$ a; L2 e# f# W' u' `& \
. k& Q1 K6 A: Q U
This service just checks a flag.5 @( v; _+ ^4 x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡