<TABLE width=500># k! @4 C p8 I3 z0 C# |
<TBODY>- b; ^) O# C# f0 o
<TR>
6 {6 |) Y4 r* I1 C* {7 W<TD><PRE>Method 01
9 o w! w& s+ ?* {! {; L. \=========
: X! ?; n/ x, Q1 j, `+ x
3 s' b; ~& q( V7 V3 n; \/ x5 z1 ~This method of detection of SoftICE (as well as the following one) is# J7 ^3 ?2 a* g2 w Q
used by the majority of packers/encryptors found on Internet.4 M0 C# W+ p5 i' D+ \
It seeks the signature of BoundsChecker in SoftICE" J& g4 Y, N# C; z" g" n
# U' a8 c1 C7 {2 }
mov ebp, 04243484Bh ; 'BCHK'
2 m& I3 A$ t; v0 a mov ax, 04h
, Y. t$ @% r9 e- _/ }& r int 3 . S* z1 z$ ~3 I
cmp al,44 y( y H* n0 S
jnz SoftICE_Detected
! y, T: |% v* @: x+ M o1 V/ H2 b, B7 [' x7 ~. o; L
___________________________________________________________________________
5 b3 b2 B' ^5 B8 ]& U1 v+ L8 K8 x4 ?- M' Y5 @3 n
Method 02
9 H+ R) t, M& t& h6 ~. Y) _=========/ g3 [5 a2 L$ q, k9 q6 m! x4 y
# n/ {$ u2 T6 H+ x. k; ~
Still a method very much used (perhaps the most frequent one). It is used
) z/ [7 p: c$ x. Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# M- S( F# M) qor execute SoftICE commands...
& Q8 e. v8 O! a/ z+ }It is also used to crash SoftICE and to force it to execute any commands; \6 u7 s" W1 ?( F2 y }) i) s
(HBOOT...) :-((
) d' z( C& h; D+ Y+ e7 @' c& H5 i c
Here is a quick description:
. s" q* ]6 s; f- N-AX = 0910h (Display string in SIce windows)
9 T- J7 {. K5 T& u: Q& f% D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. F& u4 G w8 ]5 G! @1 V-AX = 0912h (Get breakpoint infos)
7 R0 {7 x' p; y-AX = 0913h (Set Sice breakpoints)
7 X1 \" f& M. y. O% a4 Y-AX = 0914h (Remove SIce breakoints)- h& {! @5 g, r+ b7 N P
0 ?0 d2 d# |9 uEach time you'll meet this trick, you'll see: C0 J. W# p G) y( h
-SI = 4647h( O7 U; e" {6 u. _( W3 C# s2 {( W4 g# O
-DI = 4A4Dh) {; G1 M2 o, s
Which are the 'magic values' used by SoftIce.
+ k) S6 ~* o+ w# C2 U- s' ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 m& B4 O: E1 k9 W; H& o
6 T- R/ _" F7 X! y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 c; g; E6 I. cEnvelope utility use to protect DOS applications:2 I! F7 O' N+ `! [2 ~8 S' o. k
6 f. v6 Q! U% F+ M) \
" S1 ^; Z/ i5 W( m0 `. S
4C19:0095 MOV AX,0911 ; execute command.
! d* y$ F! i# _9 y9 Z" b% o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( [' m1 M3 j4 W- k2 F: p4C19:009A MOV SI,4647 ; 1st magic value.; W" G; ]1 l( k2 R$ F5 I8 G
4C19:009D MOV DI,4A4D ; 2nd magic value.
& O* o# a4 p3 \; ~2 _3 B# I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 L1 ~, O$ c+ e. O1 Q$ Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 }( m% X" t" ~- G: F2 o j' O( p
4C19:00A4 INC CX
1 y+ Q5 g7 I! N# C2 ?: k n7 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 p% u- H+ K N7 |/ P
4C19:00A8 JB 0095 ; 6 different commands.* m4 S0 }6 I$ A. {' ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' u8 ]0 \7 s2 v6 \( ]. H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 d9 ^6 I# m' y0 p5 Y) N' B
, t! |8 y( ^: W9 HThe program will execute 6 different SIce commands located at ds:dx, which
+ F1 ^7 I/ \+ y- Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 t0 Z* H) ~3 J: b$ {
0 U# @# U7 ]0 t, r2 q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! b1 o- d6 W% L- a' Q___________________________________________________________________________
8 ]6 Z) x" Z! @" U& Z2 J- _1 M/ z$ g% \% V
6 m) H1 H, Q {% V) q$ F; `
Method 033 _3 F) x! v8 x/ B: F
=========3 F% O& d1 J- m
& K5 i N! ]9 OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 r" T0 x6 Z. C
(API Get entry point)
, g3 x# Z1 X' \6 z s
- j; S P) I1 t; s9 q3 }1 U6 T9 [/ m$ M3 V! s; p5 e5 A: ^
xor di,di& X* e* y. T2 q7 V( K
mov es,di& O$ O; }8 J0 F7 l! s& B
mov ax, 1684h
- G5 `( F" W" `. i* z, }: m mov bx, 0202h ; VxD ID of winice
, d t* v8 ~* f$ X+ J' h int 2Fh0 [9 L; ]$ V3 d* d1 i1 f2 y3 J( O
mov ax, es ; ES:DI -> VxD API entry point
; M/ O3 J% S, a$ R6 {/ K4 z add ax, di
4 ~( Y) e6 }1 P6 F test ax,ax2 ?4 Z( d: v* A5 q
jnz SoftICE_Detected
0 b3 j) B6 R: b( `( Q. u( ]+ x' n( C
! [9 ~ U g% R___________________________________________________________________________
% [1 U( D7 I$ N9 e5 M) X7 b- C0 w' ^% R! E$ z5 E$ W
Method 04& u- J; Y4 s$ L7 w/ H3 E% K j' I( o
=========" W+ i5 b' l- d# a5 J/ i
5 e7 ~$ y9 f- d$ B
Method identical to the preceding one except that it seeks the ID of SoftICE! ^( S- j& r* u/ t
GFX VxD./ `0 S' Y) z9 k- @6 x& S
4 d1 ]5 K1 h8 ?) ]
xor di,di( }$ w1 H& p2 g
mov es,di: Y) ~ c7 H8 i% d, c4 e3 e. B
mov ax, 1684h
, k1 K' R$ M/ _8 e mov bx, 7a5Fh ; VxD ID of SIWVID
. c/ i' X; l+ ?$ L int 2fh
, O/ ^5 J2 r H: r5 Q mov ax, es ; ES:DI -> VxD API entry point
6 h5 r7 Y; p2 m" M4 ` add ax, di
/ t T2 W" ]- j8 i# T0 X0 w test ax,ax
3 \0 U1 S5 T' f$ j7 \/ ~ jnz SoftICE_Detected
8 I+ x$ Z3 N M: W) w' w$ b7 u! }7 m' E5 e4 c
__________________________________________________________________________
. g9 Q4 J- J& V( x/ R; I1 U8 h& e
1 d9 G9 U) C# `, U, |0 |
# F" k- E: [( aMethod 05
* t4 t v) [4 ?4 }7 w=========
+ e# I/ g# D2 ]% y: [( ]8 I- |1 z
Method seeking the 'magic number' 0F386h returned (in ax) by all system* d4 g5 W5 Y* X1 N
debugger. It calls the int 41h, function 4Fh.# r: O. Y# x* {0 S
There are several alternatives. & \/ V' r9 m0 O
* Q; p6 c: T# wThe following one is the simplest:
; H& m; V2 t5 R" M7 W E
* Q p2 n9 i) i( f6 K4 ^1 m mov ax,4fh ^- u4 [% W w n" G0 i4 u2 q
int 41h" {. Q- ^7 V" g# Y9 \
cmp ax, 0F386
8 Y/ {# j" v- m* S4 T* O jz SoftICE_detected
& b, B- O2 b$ s/ F$ h5 \) Z* ]( |: O9 L% c f" j: C6 Y
+ X, f9 Y& S; c' U! R2 @
Next method as well as the following one are 2 examples from Stone's ( C* k1 Y9 F$ a* p
"stn-wid.zip" (www.cracking.net):- i1 w e4 S) V) Z( ~
9 J/ x, d6 n9 C7 Q; }
mov bx, cs
) {1 K9 B, @3 E* S lea dx, int41handler2
2 v3 u8 e& I+ c1 c& J; n; k5 r a xchg dx, es:[41h*4]- l) A" S4 z, `* i2 k5 t+ C
xchg bx, es:[41h*4+2]
* ^7 g; j7 z0 s" u mov ax,4fh4 b/ `! W# E2 B, B& |
int 41h4 ^, G. P5 Q9 ?$ r- E! H0 R
xchg dx, es:[41h*4]
$ ?; ?: [ r1 \$ o0 g* \) k xchg bx, es:[41h*4+2]
# p1 O' s G7 } \+ X cmp ax, 0f386h7 k& b, P. B, q
jz SoftICE_detected
$ B. @; u) Q3 ^, K& T! G% ~9 Y c: g$ U$ I5 q9 T% B% H4 }( ^# A6 ]
int41handler2 PROC2 V; y0 @: H8 M
iret
* M+ a- V5 M, N/ |int41handler2 ENDP
6 o: Y8 j* M$ M! W8 ?6 C+ G2 I! v% _( ~* z7 o( H i8 v- J
3 i1 ]0 b: y! U. c- J- K
_________________________________________________________________________7 q) n0 s }; b2 L2 ^
7 ]* I$ r1 B1 {/ i
8 M' {7 t, M* N. S
Method 06* J. t% Q- c" b1 x2 y
=========' S# V7 B! f8 f! e( |
; W4 e$ u6 q* F% \. a
6 r r! e( d4 U6 [1 R+ s0 r/ ~5 I2nd method similar to the preceding one but more difficult to detect:
$ H" j9 z; o) z* o# w' a3 c" y, Z3 d) o5 }7 I/ o: v
5 x# x4 C0 ^2 t9 O2 \" uint41handler PROC {1 r; R/ n% m4 Y$ p
mov cl,al
$ y0 T; t \+ w( y iret( h' g' i7 N q# |% [7 M
int41handler ENDP
0 x+ u" J) S& b
6 B) d8 m) r# q* t/ ]6 n
3 C' Y* Q6 F8 d9 p7 n9 v4 J$ z xor ax,ax& u; q$ y) |9 x+ r M8 E6 U; t
mov es,ax0 C& \# c: G- g0 ?/ L& j
mov bx, cs
; Y# ]3 S( @6 g7 F# Z; D; u0 ] lea dx, int41handler' T4 `6 Z7 O0 Y* a! R
xchg dx, es:[41h*4], ^8 H4 O2 _- P% y& e
xchg bx, es:[41h*4+2]
; y( S( z, {9 \- x! |. k: e2 _ in al, 40h
* f, ^) F; r G9 x9 C( T xor cx,cx* y( \$ @. }/ c3 ]* I* L# H
int 41h
" f4 G3 C, i* \/ @, ? xchg dx, es:[41h*4]8 F$ _$ j; z- e' S6 h* c0 e: D
xchg bx, es:[41h*4+2]0 l; P5 d2 ?; E" H
cmp cl,al- q1 [9 t' U* U, f i7 Z# X0 c
jnz SoftICE_detected
4 s! [9 q& ?) \! [- K5 t6 N) n" p' u+ S( z2 {' v
_________________________________________________________________________! N0 s3 F! `) D4 F: a$ _
3 U. z) I% U0 F4 c8 g# f
Method 07
4 E6 T) s$ }" C$ I=========
5 R% X8 E+ X _7 }
+ j( [' K8 j0 q& d( j* e; RMethod of detection of the WinICE handler in the int68h (V86)
7 o5 G% @* t W- e6 q4 z1 r. R
mov ah,43h% `: J& K/ Q0 |% m
int 68h
: i5 d2 ]' c: V cmp ax,0F386h
+ a- |3 w, S4 K: R jz SoftICE_Detected$ g* i/ ^; ?- m8 {
5 m- ~+ n+ n; k3 x8 v! s! R+ K+ W
; ?. x% A5 o. }0 M) p1 c% T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ a- \# a6 b- n |9 Q; \7 W app like this:, Q3 M" |$ U) V
2 Y3 a( Y4 I& ]+ W
BPX exec_int if ax==68" c) V7 n: [9 G4 H
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 K* v: u; h: b$ a; T1 J& l located at [ebp+48h] for 32Bit apps)
6 Y0 O5 x; f: w! ]9 S__________________________________________________________________________& l! _/ x. k0 |3 {5 _
$ w4 E, q; B T4 _
* u# N4 ]8 Q- n- |- ]. b" c- K
Method 08+ k3 }# x! Z5 G& |. D9 b; G
=========% B" ~$ P( D3 ^( l' U" N
0 i" [5 j7 R% B ~It is not a method of detection of SoftICE but a possibility to crash the
* I- l1 ^/ T; j$ X7 `5 w2 a) _0 osystem by intercepting int 01h and int 03h and redirecting them to another3 F6 _. [! O% Y
routine.
- F V* D3 W) R5 B) CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# w6 O9 P* I0 a& D, P( Ito the new routine to execute (hangs computer...)6 V& n- x. g$ c
* _, Y: d: R& j' a mov ah, 25h
8 Z2 {& |5 P5 b- s) Y/ f+ u mov al, Int_Number (01h or 03h); n" N4 J/ `" P9 }. R' k
mov dx, offset New_Int_Routine/ A" c; i9 n& F. m/ N
int 21h
# v; o, u4 g+ r, [8 l4 p; g/ p. Q/ t5 f% {' f; R
__________________________________________________________________________* O" r4 D3 E) D9 G7 N
9 z. d' E, R& e7 A, j# {) B- Z0 B* YMethod 09- U' U- t# W' Q. g2 D
=========
) z* g/ C+ C; j- Y9 L9 u7 l. w# c+ z- J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 E" D" o- }3 ?; p, E
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 o+ u; F u" S6 Z: qThe Get_DDB service is used to determine whether or not a VxD is installed
: I2 d) i' M k0 Jfor the specified device and returns a Device Description Block (in ecx) for
2 C- @% Y( j9 cthat device if it is installed.2 t5 K3 _% {- d; J$ \! \0 H+ c
0 U# q1 e7 U2 o/ q* s4 `( V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% ~2 ~; b7 C/ c1 y1 Z% W0 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); O9 X/ F- S, ^, q
VMMCall Get_DDB( Q2 z/ `2 Q% {5 r8 q5 k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% `) L/ P/ b+ d$ G. `7 H: E
4 ]: d* K" n( U$ I$ g* ONote as well that you can easily detect this method with SoftICE:
7 r/ r+ Y& \ f0 N L! d0 y8 u3 ^ bpx Get_DDB if ax==0202 || ax==7a5fh
& m! I A3 z; x+ N7 w% |/ V# |+ R; W4 |( t0 U. g( s
__________________________________________________________________________
; w4 K; z( ]1 _) v" M1 M5 A' p
. Q8 u# X# x" o1 L; P! OMethod 10
. `% [0 ~0 U m2 w! m=========
$ ^: ~4 A2 r8 v7 l, j' I$ v
% ~6 W8 @& d$ q* i=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ W& J4 z2 e Z) [% I SoftICE while the option is enable!!
9 s' @4 N* h( \3 R: h0 X( k1 z
/ z1 S$ p) n, sThis trick is very efficient:3 \% ` n% N9 p( o v
by checking the Debug Registers, you can detect if SoftICE is loaded: \, Q; W) W' ?! z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 `" }6 Z7 a( N
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 D- @( S) B2 u7 p$ [
value (in ring0 only). Values can be manipulated and or changed as well
2 S& y) [5 F* i6 z(clearing BPMs for instance)
9 }+ r2 e9 S! ?- y8 {* A- I% }( Y7 G9 c. O' w, {& e4 {! u
__________________________________________________________________________
* P& g3 `2 F7 T! p9 j' B) E
& C, f# u9 `* V- d2 e. a: I# LMethod 11
0 c5 Y# V! t, _7 {7 b3 c=========5 |) e9 Y( }$ E! W6 ]4 s" V
/ z, g! l" A; c& e! a8 |This method is most known as 'MeltICE' because it has been freely distributed7 s+ o, i; h/ G) k% T7 M& N- y+ U* M6 O
via www.winfiles.com. However it was first used by NuMega people to allow9 k/ }, D7 E$ S, o: ?0 A3 K
Symbol Loader to check if SoftICE was active or not (the code is located
% ]* P: F( X8 N% n2 d' ginside nmtrans.dll).* @) S# t9 T, E# ^) I& {/ S- p/ q
+ S% @0 E% N2 N! C8 W. iThe way it works is very simple:
6 X$ O. _0 |& b6 ~+ \; {: ]4 fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" E1 [1 D! m2 l9 h3 R# S9 V. n* |1 L; W
WinNT) with the CreateFileA API.
5 c; R: e# N! q) a, R' S* f! Y$ Y3 p: B' @4 D
Here is a sample (checking for 'SICE'):# v9 @$ k1 i( i8 A
1 \0 n: n" P N: R& a2 ]
BOOL IsSoftIce95Loaded()/ P3 J, Q% S: a9 q( A) y9 G2 g/ S( |
{
3 K# x8 O' ^: U9 I( Y HANDLE hFile; : N7 Y) G9 Q* G8 O- {0 A3 k7 H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 i- R, x0 L( G7 e
FILE_SHARE_READ | FILE_SHARE_WRITE,. Y% d7 D$ _' }8 x5 [$ Y$ [2 X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; f( ^- q% W+ r+ [, _$ g: U if( hFile != INVALID_HANDLE_VALUE )
1 b; V( ~' U' z+ O( A! @ {7 `2 U, |; |" P1 s; F* R' T
CloseHandle(hFile);
% l- y' K' Y, [+ X' v7 X9 D: i return TRUE;2 W- y1 J; ?9 [* h; r
}
) B5 _9 J; P- M& L7 C return FALSE;! w1 B3 O* f$ q/ |( K) ]/ A$ l
}
, m+ [' E; Y, O+ Y: x" h% M
$ e0 p7 A5 w3 j# HAlthough this trick calls the CreateFileA function, don't even expect to be
6 n( O( J& D- U" f4 e8 c/ Nable to intercept it by installing a IFS hook: it will not work, no way!
4 m; S9 m1 N* J: x bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ o4 ?. k' V0 p; Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* I+ k4 o* \0 }+ n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( X* T. P' [# t9 t1 R; O
field.
) p" z C1 ~" E( r0 o* T3 ~In fact, its purpose is not to load/unload VxDs but only to send a - J7 o1 J7 R5 X4 A
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 a/ l1 ~5 i" A$ `% f. H, Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 { z) R8 c. g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' A- s" a3 U, d1 v- y( d' a
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ P o8 H+ Q1 r2 Y f' F
its handle to be opened and then, will be detected.4 j0 ]2 h0 ]( J8 q% n4 A8 u
You can check that simply by hooking Winice.exe control proc entry point9 L$ F% j) b6 P+ @4 R3 ~% `
while running MeltICE.2 G; J* z2 ?; Q4 j
# r# E* a" }6 G. L1 m, J: u( w/ H1 x, Y& @
00401067: push 00402025 ; \\.\SICE
. @3 G! l# y$ d* a! s 0040106C: call CreateFileA
4 F! w: B* D4 a- C4 v) @ 00401071: cmp eax,-001+ d- u+ L( }( q1 `; X# y- p; u1 I
00401074: je 00401091
9 A2 Y" S+ u' {' E$ I7 N6 R; {" B; m6 ]1 t: j6 v4 n+ G3 v
+ E* [& c& V3 ?' Y6 `. p
There could be hundreds of BPX you could use to detect this trick.% O8 C7 M3 g) H) \
-The most classical one is:/ c0 N7 u Q* G) p) |( U7 f4 W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ L1 z) b. r: k6 `( T
*(esp->4+4)=='NTIC': k5 \2 n' c. r, C3 e9 h
, F. z% ^: J8 |4 {2 y-The most exotic ones (could be very slooooow :-(
9 C: H/ q( ~4 r4 K7 ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 n1 f7 ~4 c. F: E4 ~ ;will break 3 times :-(
W W& R" S' r. Y- v, g
) Z# y7 k8 x7 b0 v2 d4 S-or (a bit) faster:
& G& H9 m1 T6 x3 u$ w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 }) S$ z: J5 C* C
& `* o7 i% W! s& N4 J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. E, z+ P0 y" x8 B" T$ X& u9 y* R ;will break 3 times :-(5 y9 S# L) Z3 y( J t; ^
( h( T% f8 a$ f0 e1 j
-Much faster:
2 v* [( K, _" A5 X7 C# i' m: u G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 X- h' ?9 g" c9 a; Y1 a' F
0 c7 s1 F% `$ |* I' L tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 P, w b1 @. V$ K
function to do the same job:- v) V3 a4 ]% b% d5 l
4 u/ k: O* y0 U0 |
push 00 ; OF_READ% x0 }: ?9 S- S( y4 s9 \8 |8 _
mov eax,[00656634] ; '\\.\SICE',0
% |' G9 v' N6 \# s push eax0 t" u% q# F' _: \, @) J4 V* S
call KERNEL32!_lopen' u) {' G" s/ N& w
inc eax
" b# x* o3 K$ V jnz 00650589 ; detected( ?+ k$ m9 v4 [. [1 r; _* K, Y
push 00 ; OF_READ+ H; P1 G. @" m5 `/ s! ]; _
mov eax,[00656638] ; '\\.\SICE'; \9 l. j$ g% R
push eax+ x f' Q1 o& Q! Z
call KERNEL32!_lopen$ l: }, M8 h- y* J/ f. U) U* A P+ a. C
inc eax
# g4 l4 ?7 ~1 \+ V. s jz 006505ae ; not detected+ z+ @" b, g% P% J. d' r& D
`# R; O+ \; h: v2 |7 |. X( M
$ o( ?% L' W' q: J/ Y! j7 l3 A1 [
__________________________________________________________________________
3 s1 \4 c0 |; C5 f
( @) }) i: v! F. Q* kMethod 12
& x% w+ _) W/ p1 s=========* F: n7 t* u( E, T, S3 _
% C: A8 D1 q* }3 jThis trick is similar to int41h/4fh Debugger installation check (code 05# V/ Z5 {: I5 @+ E0 X3 o( Y
& 06) but very limited because it's only available for Win95/98 (not NT)7 I! c$ p. N! n7 B C4 _* H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 v) h0 T$ P# u7 m! q8 K9 W1 d
4 N9 x- G9 k0 C$ }" N+ F% ^
push 0000004fh ; function 4fh) p) D3 i! ]' a7 ?, p: k
push 002a002ah ; high word specifies which VxD (VWIN32)
/ N1 J& B( j. B' ]0 [- d9 q ; low word specifies which service5 X" @7 o. T% W* f( n* c. m& U
(VWIN32_Int41Dispatch)
+ C; y& q/ S+ p; Q9 n& O call Kernel32!ORD_001 ; VxdCall+ {" `7 {" g9 F4 l9 {9 M! }# @9 U: ^. m
cmp ax, 0f386h ; magic number returned by system debuggers% Q9 O: S- \ O) A! f
jz SoftICE_detected
3 H M& r2 y2 |; F% A/ D
' Z5 m) N4 @8 V# A6 YHere again, several ways to detect it:4 a! d$ Z/ v$ s5 m/ _$ c. e
: ~3 ^1 }+ J! M
BPINT 41 if ax==4f
% j& R* a1 u& F3 L8 Z/ X8 a
) Z4 c$ U7 b9 D" G' Y; A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 S6 N1 J% s7 S* A! A+ c0 k; d1 O
) K' D5 l' R2 V* ]6 k/ V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 D8 E7 s0 |) D6 Y: }
1 t% z, w! b8 V2 V" @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 ~/ X) S5 W9 ~4 u2 x! b' ^
Z* U' y; x0 U2 }9 ^
__________________________________________________________________________
" M' @2 |% P! F( V; W1 ` v! s
/ ?% x# U, @! g* A% TMethod 13
) |* D; @- U/ {4 H9 K=========
- H/ U5 S& ~5 R% `# G9 V8 ]) z
8 }- r4 I# i6 I2 xNot a real method of detection, but a good way to know if SoftICE is
5 ?$ n5 H; `3 e2 x# q+ w6 N5 Hinstalled on a computer and to locate its installation directory.
* k* H2 {3 I, \1 J. W! VIt is used by few softs which access the following registry keys (usually #2) :/ i/ J7 S x4 S* u
' y+ c3 |% s% J2 A$ P6 D' S0 d& D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. K& d' \* D m$ H T\Uninstall\SoftICE8 }( I( D& Z$ \: r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 v' {! }/ d* B& D- T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ L( D8 c Y7 \% ~$ _& M
\App Paths\Loader32.Exe
6 t/ ~; b) U4 Z0 N/ g" b4 `
' R8 ^# g% V! w# H7 G4 J4 s* k8 S" w; J f% X3 S2 \ s
Note that some nasty apps could then erase all files from SoftICE directory
9 f# m% Z. g& q(I faced that once :-(% Q0 J1 h/ i' ?4 Y l" C
9 u6 h: u* d: c' B t) f0 C& ]3 S
Useful breakpoint to detect it:/ ^9 w1 @3 D4 R1 @, Q) D
' G0 r0 p+ D) R' a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" T/ U2 a# k6 k) l1 |1 @; X4 u% ~% r3 i' z
__________________________________________________________________________
' c# T0 g6 d, d6 q% ], f! O
1 m& }9 r. _/ E9 [6 H! Z; O
" A* ~! Z8 O+ k+ M- j" ~, C2 _) _Method 14 ' `3 Y* e) G0 d4 }
=========( d l8 |7 d8 |
1 W1 y8 O) I9 j5 K, }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. [6 G! u' y2 H; Y* Pis to determines whether a debugger is running on your system (ring0 only)." y$ q/ f6 v/ v/ T+ {. C+ S! T
9 {1 e$ |, d/ S: R% g2 w7 Y
VMMCall Test_Debug_Installed \* L0 n, b4 Q$ Q
je not_installed
: Q0 Z- d, r% D. S# b8 J! v* }- d" ?( h$ t3 N; d5 V
This service just checks a flag.. M9 |8 G! Z& X3 |( Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡