<TABLE width=500>' d6 O0 L# R) n: B" f/ E# H
<TBODY>
4 V/ }1 A+ ]# u5 c<TR>+ ]: Y3 D& T0 o7 A& f: d$ S, ^5 o
<TD><PRE>Method 01
7 O9 W+ B x+ s+ c, a' S l( F=========) O5 t# }6 N- i5 t
' u. l4 e& C0 m0 l8 M
This method of detection of SoftICE (as well as the following one) is4 p5 |" S7 J$ v5 A. f# {5 z3 q& R
used by the majority of packers/encryptors found on Internet.5 K6 }' ~% t8 |2 b0 d# o& Y
It seeks the signature of BoundsChecker in SoftICE
2 u6 B9 v4 x- }% ^$ U
6 W5 |) }$ j0 D- i) { @. [ mov ebp, 04243484Bh ; 'BCHK'- K* _. V7 {; c$ f6 `* V, }
mov ax, 04h
" M. g& b/ o3 A! h int 3
! S) C, s0 A0 b cmp al,4/ q0 M6 Z0 u; H$ T5 {% Q3 ^# ^% A5 |
jnz SoftICE_Detected
) Y- O+ r9 r4 u# c9 F, f, M0 H8 y+ a8 d0 e7 L
___________________________________________________________________________
7 n/ \0 L, \1 a) ]6 m) m
+ l- d+ Z! g1 e) S; K- |Method 02
) b! L3 G0 ?9 [: U6 L=========$ e# v& d4 T2 _+ r
( w# r- z: a* C; t+ x! oStill a method very much used (perhaps the most frequent one). It is used
* C* b1 C6 G& _6 b1 I8 Q. e" eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 s8 F3 o) h- ?/ P |1 ]2 }" ?6 Ior execute SoftICE commands...0 u8 e2 ?) Z) ^* ?
It is also used to crash SoftICE and to force it to execute any commands4 ^- r4 Q0 T' h( j1 _3 @5 L+ N7 \
(HBOOT...) :-(( * k; s! u: |" O6 z/ \* S
& T4 E4 s# ~9 c) J+ P2 A6 I- q7 QHere is a quick description:" S: U/ m9 z4 u
-AX = 0910h (Display string in SIce windows)
4 z7 p/ @% m/ C* e' z/ O) u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" ]. E% L( [; z! R5 \! L, D1 v-AX = 0912h (Get breakpoint infos)
3 X& q' d; }. B-AX = 0913h (Set Sice breakpoints)
2 ~5 Q* v7 u9 s- ^: }; a-AX = 0914h (Remove SIce breakoints)
- m9 l, `5 `4 q7 }8 t1 ^
" |6 H& W" {; \+ bEach time you'll meet this trick, you'll see:
( U) J, m4 N7 L' j) d( u/ j- U$ k6 L) E-SI = 4647h
& z# ^; ~1 V& ?7 p% G-DI = 4A4Dh: G x/ g* {$ n9 Z+ K l
Which are the 'magic values' used by SoftIce.
4 x& k1 c3 {+ [. u- _For more informations, see "Ralf Brown Interrupt list" chapter int 03h., ]) @* b' X# r% }3 F( b( O
, k- u7 T5 i! O5 Y* @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 h5 {, Q8 u( {( lEnvelope utility use to protect DOS applications:
* ~# z. q& ^& f) S& E3 i7 D5 @) }, ?0 d5 V
& D5 @( L0 I) w3 f A; G4C19:0095 MOV AX,0911 ; execute command.* d3 V; T4 C5 y# y3 s4 Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 l) b" _0 [3 I" _* T8 p4C19:009A MOV SI,4647 ; 1st magic value. q+ P+ c7 q) W6 W, T' P
4C19:009D MOV DI,4A4D ; 2nd magic value.6 p7 J3 e& c2 j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" D3 j% q* n/ P0 p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; {/ q' l$ S5 O
4C19:00A4 INC CX9 n4 j) c$ |. Y P a" {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- a: Q- V% A$ T# X4C19:00A8 JB 0095 ; 6 different commands., u: s% L* N9 |" h, \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( q4 P- f% e; N! s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: L% C' x' u3 {6 \% ?& M3 G- [# Z& a
/ ? { q8 s; CThe program will execute 6 different SIce commands located at ds:dx, which. L9 v3 M4 b/ d2 Y* a+ o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; q1 t m2 ^# y# j- j
$ c8 e; P+ B! h5 N# O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, G! ^9 |4 j5 c( I' O' {___________________________________________________________________________
0 l' E# w' r( d. M4 N5 ~( Z
7 q! O6 ~+ n8 a& D1 T5 Y% U4 S2 C9 u: P& v
Method 03
/ E) ^) Q8 K) m/ d=========
) i; ^0 x/ v. g# L7 X/ P3 H: X2 s& \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 @4 w, r, C8 A! Y" k(API Get entry point)
! H) h& }7 l) F6 d % ]/ a% }; |. n, X4 z# Y
9 _: ?* B# o. {) r7 m% R
xor di,di
, t4 A' f! h$ V6 c mov es,di. ^. q0 m+ E# D( \5 u9 S* e
mov ax, 1684h
: q. d3 \5 d2 U) |' G) h: i' G# @" d mov bx, 0202h ; VxD ID of winice
! g3 ]& Z# v' p4 g int 2Fh
$ i( P: P1 v# x0 h mov ax, es ; ES:DI -> VxD API entry point
2 N3 M% Y7 E7 Y7 v$ W3 H add ax, di
3 `6 F: k0 g; K% R) o1 Q& w0 W test ax,ax% O2 ?, g) h9 S/ E
jnz SoftICE_Detected5 b# [9 y& X1 J: ^: A
! z: F+ r0 a. g7 z
___________________________________________________________________________
0 S. G1 ]0 r! H) v4 }& O2 s/ |2 o- a# v# M
Method 04
0 P* I" f: Y( P' I* L, A=========
" R0 M: g3 K2 p
0 g! J/ c5 P5 u X% c" w9 RMethod identical to the preceding one except that it seeks the ID of SoftICE3 I1 v! A! {* T
GFX VxD.
( b; |/ k4 e$ P# P$ y) s0 j" S4 v
+ \4 y# {- c" ~2 b6 A xor di,di; c h+ O0 g( K9 \2 n E
mov es,di# p! M- ?5 i4 W
mov ax, 1684h 3 j6 w8 h9 W7 o5 v [
mov bx, 7a5Fh ; VxD ID of SIWVID8 r2 D" e9 R/ T/ \! M- B
int 2fh9 |! {. Z9 F7 @5 `# B
mov ax, es ; ES:DI -> VxD API entry point
+ n m/ O# N* Z3 u add ax, di* a- u, ^: q+ v6 v' F. H8 r
test ax,ax
. ?) g+ u6 h$ m) }( [ jnz SoftICE_Detected
J9 |. m- p8 x& v
' O# v5 P) h+ V! D; M9 y__________________________________________________________________________5 b C: a! W6 W
. X. N+ l7 _1 u# S6 M: P: @2 O9 f) g8 h0 I) J) q
Method 05
1 k; @+ X4 N) b3 b" `/ K=========
, A4 ^- v% H+ d. [& _" K' X
" _; n5 p9 |! G) _7 PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 g4 ]& z5 s. j% R& Y9 T Bdebugger. It calls the int 41h, function 4Fh.; _2 w$ R6 ]* p' A
There are several alternatives.
$ H9 Y Z1 \5 F
& i+ ~3 w$ n# z, w+ P' zThe following one is the simplest:3 I" ` V1 h' @3 B5 `( e& s" s5 g
0 f6 J, v* \7 T/ D mov ax,4fh
; ~8 _$ B5 c' @$ @& { int 41h
9 X. i, \$ _1 U! K! J cmp ax, 0F386
- m9 z; ~4 x6 l# J! ^5 @ jz SoftICE_detected8 J+ [7 j8 v9 i5 I- f- H: X
6 g( X# ~7 H+ s" o" S: [# z" Z, L! a7 B5 j/ f5 `; y" z
Next method as well as the following one are 2 examples from Stone's & y* `: z9 H" T3 h/ E3 k$ q# [
"stn-wid.zip" (www.cracking.net):/ ]9 h, e, b% i& h# A e5 F
0 _5 O. x# G1 u* F
mov bx, cs8 \; h+ J: s6 n1 N
lea dx, int41handler2
& N, O- c) }; n" o: U xchg dx, es:[41h*4]
4 U1 G1 \; q' |' | xchg bx, es:[41h*4+2]6 m' n: e; b% L: ^! M5 H! Z
mov ax,4fh
) @ c8 L% y8 W- { int 41h
% O+ g3 U! ~7 f9 x4 j xchg dx, es:[41h*4]) j) n) M) q* K$ v. \0 T+ w
xchg bx, es:[41h*4+2]3 ?, \! Q9 Y: D3 N, K
cmp ax, 0f386h
; t& o: B9 S# N9 K8 [" A# K8 N. Z jz SoftICE_detected
/ b9 k2 G3 u( Z' g5 n
; A" _/ l: w& r8 V7 D4 wint41handler2 PROC* m5 q. j0 z7 N5 L; S. O. m
iret4 ~8 f' t& ?4 H$ [$ o2 Z0 G, h
int41handler2 ENDP- [' F [& \- i1 {$ U b/ F& s
: b' \& D+ P. N3 ~9 q
. [ B4 |2 K' O* b) B
_________________________________________________________________________ }6 X& p+ j) f4 n8 B9 [: v! s6 j
$ m, x" `, n# T1 `3 Y, S* ]) P! f |! b: Z: X) B3 r z6 c( L3 ~! M
Method 06
- U' }6 c0 s+ m3 O1 d=========
9 J$ A7 S- K, [" T: I4 P1 s$ f$ Q6 y4 y) u3 r3 Q! V, D- P
1 s( K6 e' a! @
2nd method similar to the preceding one but more difficult to detect:8 G1 L4 i6 B( X7 g/ y
0 E: w: z, }) k# A( L
; ^' U1 u, o8 i9 s% {9 D4 }& L
int41handler PROC/ K) U; F) c/ R) H& {
mov cl,al
3 ~/ Y6 C0 r7 ^" \$ D# k# ], P8 c iret, w8 `# c, D3 n* a, |
int41handler ENDP- Q1 p* `* W& w4 ~. g
! ^1 u( ]- D" r3 Q9 k, | b; y
+ h, J4 k0 }) r- |& ? xor ax,ax* v9 F7 p3 i6 \+ V3 |9 m6 N+ x' S
mov es,ax2 b0 L+ V$ R, M# H, F
mov bx, cs h ]7 C6 V) S, W$ Z5 v
lea dx, int41handler
: e* R6 r Y$ k! t* h: o( L4 ]* f xchg dx, es:[41h*4]8 f8 P6 m. g& q9 |( I
xchg bx, es:[41h*4+2]
* n0 b6 I' b1 v0 J! k in al, 40h
3 |7 M T) a' _7 P4 b( m xor cx,cx" d9 K' m( J- V( |
int 41h( P$ M5 R/ M, e0 P6 |+ C9 u* o
xchg dx, es:[41h*4], O- a4 f% D4 a, i: D- r
xchg bx, es:[41h*4+2]
6 l2 m/ h9 c$ v cmp cl,al
, M! Z& k/ V E( K* k2 T8 [* ?0 o* | jnz SoftICE_detected* z. l1 V q+ H8 K* V
6 l6 D- F% x* H5 N, u" P) u3 p_________________________________________________________________________/ n7 h2 E4 a) k) }% |
- X! Z: ~5 `3 LMethod 07
$ }) x& P' J6 N9 X=========
1 Q' b2 t0 X7 f& O: R8 i
' j5 v2 Q/ Z0 _. o7 UMethod of detection of the WinICE handler in the int68h (V86)7 a5 R) U% J, e0 J8 Z5 q; x& J
+ ?5 R+ f2 s; d2 c) j mov ah,43h& D" \2 k2 s$ j% b7 E4 h
int 68h, P- o3 `1 O( |; z# c
cmp ax,0F386h/ ?7 m8 Z. n: n
jz SoftICE_Detected; `4 {+ q( U7 J. `! Z+ }2 i
: B( A- C' n: {) g
# `5 y6 c" m' `3 c# U. i8 j. q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 u6 F, G$ V1 `1 T& \, t app like this:6 e8 h, X5 j+ K& e
- L% n# X8 j; }1 _$ M
BPX exec_int if ax==68! |4 t* C6 l" t- t+ t; q
(function called is located at byte ptr [ebp+1Dh] and client eip is
, I6 t6 b, Y8 W5 `5 J located at [ebp+48h] for 32Bit apps)- f* l4 J: \& k# w" \6 u% d
__________________________________________________________________________& F5 v3 b# e. ?3 a. l# @
9 P: L* y3 j9 q7 B. }( G" \* L) u0 v9 {: p: } _+ S9 a/ ]
Method 08
2 \# Y8 V) i& J$ c% B=========
7 B8 [& J8 b2 Z0 i2 `3 e' y/ }! \2 D( Y4 `1 }1 h* }; J0 h# ^3 f
It is not a method of detection of SoftICE but a possibility to crash the
0 n/ ~# Z) {7 Q. \- d! G" usystem by intercepting int 01h and int 03h and redirecting them to another
* r% u. W# Y9 S% ?4 froutine.
% b7 t% ], C5 I# RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) A0 Y# X/ t( a! }1 _
to the new routine to execute (hangs computer...)
) K, R7 T4 ?+ {2 \$ D' d+ m5 ~) I0 j5 k
mov ah, 25h
) f v% N4 [+ _+ K6 Q) a: f mov al, Int_Number (01h or 03h)
" I' D# q! F9 c6 b+ o mov dx, offset New_Int_Routine4 e. v$ R' R! S8 D% R& ~9 O2 ^
int 21h' G8 ~0 u* N( K) M2 d6 Y6 G
* j( `$ P6 k" c6 _7 b4 o
__________________________________________________________________________
) ?3 E( a' V7 y& g$ O" u# v* H4 I
Method 09
1 p+ s v5 m4 K; F=========
. V8 Y2 o A& m' P+ S2 r5 X( ]8 b. D) @* F" n- c4 Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 V# l& C6 _7 H S( |
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ g) M# W: k! ]$ l8 KThe Get_DDB service is used to determine whether or not a VxD is installed
5 N4 j% f% r3 O$ N& P2 tfor the specified device and returns a Device Description Block (in ecx) for
( G8 T. ^$ D$ G0 P( c4 ~that device if it is installed.3 ^$ P# j% p) H
5 e% B" T3 K- f4 _3 c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 Q. A0 [7 g0 j* U/ K7 E+ o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 S' w- m. `$ a# ~( g2 ^+ [
VMMCall Get_DDB \0 m9 z8 k$ ?0 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- Q# P3 s& I( m/ n
. m T" ]/ {* g3 p( t" N! lNote as well that you can easily detect this method with SoftICE:
: O2 X4 l8 e/ G; k/ e% ]0 | bpx Get_DDB if ax==0202 || ax==7a5fh
. G( I# L! p3 F( i& I0 M6 P+ k) a+ d. z3 p# k
__________________________________________________________________________
& ?$ x3 G; m4 r4 N I5 T7 r! M* `6 ?- m u5 f+ U
Method 10
, D( e7 `' o W: i y=========
/ Q- t. \7 B9 _6 @! @$ x, L) c4 x U2 K: p6 W* W5 M7 ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' d4 p1 R) g& q( ^0 Q2 x SoftICE while the option is enable!!) F0 y' K7 V' O4 Y
! R7 t2 g* g3 {8 | E) I5 A+ N
This trick is very efficient:% ^4 t8 g" i5 r
by checking the Debug Registers, you can detect if SoftICE is loaded" D- `' R! e1 }* M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ?' P2 z3 Q, _3 w: Y; }# A# kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 { S# [7 j; N. m* y$ u% s9 svalue (in ring0 only). Values can be manipulated and or changed as well( u* F" D+ u; M k
(clearing BPMs for instance)& n. w# s5 _* z2 ^& N
8 W2 p! h. U" e
__________________________________________________________________________5 N0 H9 v' U7 m
. Q# a- W6 E# c0 ^Method 11" v; ^0 t5 y1 Q0 u5 L( C8 W& }; f
=========
+ U8 M- G; x3 F7 _, o
9 O( Y8 V* Q `- _6 ^This method is most known as 'MeltICE' because it has been freely distributed
" a) m9 z; E0 A4 U) x3 K" vvia www.winfiles.com. However it was first used by NuMega people to allow7 `, I( n Y9 _9 b
Symbol Loader to check if SoftICE was active or not (the code is located
7 q6 G, z, o6 B; Iinside nmtrans.dll).+ q# Q3 G4 g: O
6 M) q ?. Z% _. e0 D& h; H; X HThe way it works is very simple:
! v: a5 T& @3 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 u8 }+ k' [4 B5 w" U3 Y
WinNT) with the CreateFileA API.# I2 R7 M* n: E+ ^4 Y0 @) r. d
/ I, r6 \! I4 ]2 C
Here is a sample (checking for 'SICE'):+ ]) J5 B% i" N1 p. @
& c5 s& j/ O" M
BOOL IsSoftIce95Loaded()8 o# O0 g4 C; d) Z: `0 w# ?
{
& e* t! ?& `9 L6 O( S) H HANDLE hFile; & T, y- U; s. I% |: Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( J; M% D! d& t5 { FILE_SHARE_READ | FILE_SHARE_WRITE,; k$ N: T4 f+ u1 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- t! [4 I# }4 v& C# J; w if( hFile != INVALID_HANDLE_VALUE )6 h3 S1 l# r1 ~2 y8 I/ D& O. V: G
{5 f6 m- f8 i- O: X: B
CloseHandle(hFile);
# ]* m& Q" L3 r) f" w0 R! p, H, W return TRUE;
1 y2 n) E" W' ~; K% \ }
3 o' I1 }" U2 l; e! p$ c return FALSE;
% G+ z4 f3 A3 p; o8 q}
4 c* R; P+ V5 p4 N9 b! T, O( q& z3 V, |: {, H7 M& G
Although this trick calls the CreateFileA function, don't even expect to be
4 p4 A. ~! x) D. Hable to intercept it by installing a IFS hook: it will not work, no way!
- j. X+ ^2 `+ FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 Q) A4 M5 ~- r0 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 j& N. h5 L4 T, f" _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( J* g9 P" E- O. D" I! {field.2 ^* J, ~2 {: Q
In fact, its purpose is not to load/unload VxDs but only to send a
E# a" W, U& j7 e IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 A- v' D& ?" [$ y8 H9 bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 Q5 m! z/ S$ V& o( {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 K1 {! {! w; G8 C8 j3 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" a c @* [( B: Wits handle to be opened and then, will be detected.. S, G8 n5 t, p( D4 m
You can check that simply by hooking Winice.exe control proc entry point2 C0 z0 e' R# y& D0 c8 m
while running MeltICE.. O* B. W& k+ _2 N; d& b" s
2 }6 e0 [+ ?" c/ E6 {2 b* \. y8 k
00401067: push 00402025 ; \\.\SICE
( w7 }" t8 K5 \/ a. R- j, S) E+ c2 e 0040106C: call CreateFileA
W. ?7 `# E( n 00401071: cmp eax,-001
! t9 J% O. e, x1 M3 `" x 00401074: je 00401091# v# q' X f, V' h# B
' O6 T7 H9 j; }8 u& U3 i8 n
, S5 R- _2 ~' x7 V4 E8 W( G
There could be hundreds of BPX you could use to detect this trick.8 o! U& Q* a5 j3 y/ i8 ~4 l
-The most classical one is:8 G1 W$ t( ]/ \5 k- E* h6 h7 p1 z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 c. \9 l7 C- u: V% ^5 D: b& I+ a' h *(esp->4+4)=='NTIC'" U4 Y7 ~4 _) t, V2 l* u0 A& I
$ ^5 ]6 H; c8 w/ a6 Y3 M, r
-The most exotic ones (could be very slooooow :-(9 a- I. I+ x$ x/ m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / q$ o. {. x7 K7 |8 v0 F7 l" ?
;will break 3 times :-(4 L) I- Q9 u. G
, O7 K- s+ M1 t6 }2 ]) F-or (a bit) faster: 6 e+ I2 y- m3 E+ n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ R/ B5 ^, Z5 I, t3 e' N
% g' y2 ^# m1 r+ a: ^' D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 H0 S4 j1 `" q4 r& p9 \4 F! m2 }
;will break 3 times :-(
$ Q: L) H0 D- N' m: _ l' U' f% y& ]; S. I# J) k# D. v
-Much faster:
# d/ h* G/ @8 H, I! ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; J5 F. N* I9 m1 t# u) |8 j8 U$ R7 b. z9 ]( P* A* e G& P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% ~4 S( Y, P! h4 Bfunction to do the same job:
, x" x( L( y: \# ^9 Q, V( j
5 J& b# d0 o2 ~ Z- Y push 00 ; OF_READ( ~3 E' p, d$ C O& R* ]
mov eax,[00656634] ; '\\.\SICE',0
2 z6 q- f+ Y! |* h push eax
6 }/ H1 C+ k; ^& s- J5 S call KERNEL32!_lopen! t6 y0 q) z. H9 u9 m
inc eax/ _2 l* _. G5 t% Y( l8 A) I
jnz 00650589 ; detected
9 p/ `( y# {6 ?+ H* B4 d. o$ K2 T push 00 ; OF_READ1 |5 [' {, G$ x2 X
mov eax,[00656638] ; '\\.\SICE'* I! g7 m1 \4 G) @& S! t: R2 a
push eax
; s4 L. U4 q7 w1 K8 E$ z0 S2 j call KERNEL32!_lopen" }# W) H! V! G0 A
inc eax& U) m7 z3 g- p+ S5 W3 @
jz 006505ae ; not detected- e' N6 h: t3 \7 C3 |0 o
/ P! ^' ^& C+ u$ M' S
$ R% r( h9 R1 I# l( u' O8 v
__________________________________________________________________________
1 t8 x/ }( Y8 O( e5 m R
' R8 W* v! b% T: g1 |& F) hMethod 12
0 s, b/ s! y% ~1 _$ c=========5 Z8 X% `* t N
- g3 z1 W/ h) F) k
This trick is similar to int41h/4fh Debugger installation check (code 05
+ N7 ~& {& t4 d& 06) but very limited because it's only available for Win95/98 (not NT)
+ `. }3 W! T* m6 V4 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 F- L# w1 \% B) w; L1 y2 r7 J: Q2 l% H2 r" c
push 0000004fh ; function 4fh% h# c: ` A- D# m* b( v! _
push 002a002ah ; high word specifies which VxD (VWIN32)
% [; c7 @. g% T* U ; low word specifies which service
" l+ W; M/ A7 v ?2 `9 Y (VWIN32_Int41Dispatch)
# U* G- Z4 [! q7 O. u7 e* J3 a, b call Kernel32!ORD_001 ; VxdCall
3 [' u6 Q4 H. X5 p; m6 \ cmp ax, 0f386h ; magic number returned by system debuggers* r% j8 Q/ B: l' y& L. w; t# s
jz SoftICE_detected6 }4 @+ j2 b8 B8 r
$ j0 f9 X- C6 o
Here again, several ways to detect it:
3 \8 S: S) Q- v& m& B5 {6 Q6 C! p( O9 o+ N, u4 S! [# |' ]- d
BPINT 41 if ax==4f
# e3 F# Y& y j( Z( Q; X9 K7 p. }' P, {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% J* Z; j3 Z: U3 ?, z# K- F9 y6 |4 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: W0 U/ G+ x& u' V: G3 b$ o6 P9 E$ i( Y, ?/ S) f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* b) r& t p8 f2 W/ D; X0 {- [ A. T/ r
__________________________________________________________________________
& B& O7 ^- h) E6 I8 S3 c
, j+ J! ~% ~ U7 i: Q5 G4 [) F9 {Method 13
! Z9 x2 c- Y# E=========: K" V2 U- X ?6 J+ E% C
- R Z/ _! Q, h) d! Z; t& }7 iNot a real method of detection, but a good way to know if SoftICE is; B( W2 ^; l" V/ i
installed on a computer and to locate its installation directory.( m0 @) k( e+ C1 Z$ e6 G
It is used by few softs which access the following registry keys (usually #2) :
, p4 v! o$ M( M0 r3 V% t# n9 ?. Q% W) G' r8 H% w/ t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# H! Q: _0 \) a8 c. b
\Uninstall\SoftICE- k" @3 {& }9 V8 Y3 j! C% ^0 U) ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# Y$ z3 z& D! O# D1 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ M( Y8 D3 _) e4 D\App Paths\Loader32.Exe
& H3 s3 w2 S+ a8 B) x9 X
4 m2 M$ x+ P3 Y7 } w& {. j" m1 }5 \! |4 q+ f
Note that some nasty apps could then erase all files from SoftICE directory
, M8 k/ I* ?- R1 {8 h(I faced that once :-(
6 |! L/ M; ^. s$ P2 O1 W1 ~1 \3 p, G1 z' w. Z
Useful breakpoint to detect it:. G# s) F& \) V, `* J3 _' x4 f" c
( s: Z z* k' @; w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; H( V! a8 s; b9 K. J2 Z# `' n$ t* s1 N/ h
__________________________________________________________________________6 A4 m2 Y" x" q& v& f
0 k N1 c8 x2 e1 t E
% {0 W4 T2 k7 O& `8 x6 CMethod 14 5 b: a# J2 k' Z6 W1 ~ X
=========, @1 H* I9 X! x) a! l L
. Z7 H3 n( @' P+ H8 ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* ~; w+ K1 v! F2 w" V& l$ b7 @# Uis to determines whether a debugger is running on your system (ring0 only).
# Q9 n9 ^6 {% ~5 Q
( A6 Q. b3 H$ Z8 d& Q VMMCall Test_Debug_Installed
) [9 i' a1 K- {- k, |2 d je not_installed
* L% C7 N0 Z0 |0 \: |, a8 j! M/ P& U
This service just checks a flag.
1 j6 G4 I8 ~$ H7 ?2 y; Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡