<TABLE width=500>8 e2 `& ]( l5 T6 ? L; Y
<TBODY>
* x0 }, a# f2 g" }/ T5 x% b<TR>$ D6 }: R0 \$ r4 n# Q! b. O
<TD><PRE>Method 01
3 Y0 \/ O5 ? `# ~+ O; q$ o=========
' w; D* ^* A n0 g1 l% t) i% V+ |) A2 ~- D+ k4 K
This method of detection of SoftICE (as well as the following one) is
7 ~5 }4 u* \) ?' v. T7 ^used by the majority of packers/encryptors found on Internet.5 `5 }% D! ], C5 d$ o/ W
It seeks the signature of BoundsChecker in SoftICE
: E7 |8 ^5 y% K& p0 R8 q6 @
X) n( {- H# v5 Z0 g W, n mov ebp, 04243484Bh ; 'BCHK'
3 F% @. Z7 P8 C1 v! ? mov ax, 04h; G$ w4 u9 o- d8 b% U( [7 p
int 3
1 W' y: e3 n! q2 M cmp al,4; q; R) i1 G7 ?; S8 o
jnz SoftICE_Detected; m; n, H) Z Z0 N
6 F# U+ Q; x$ r4 ?
___________________________________________________________________________
1 |6 @" q' Z# L- h6 E! w' q0 `; A: _, D) U) R- r
Method 02
" h! n: N% i/ \/ }=========
: H6 D# j. S: v/ p" \( y3 ?7 ?0 u, a! W* ^) {" L4 C$ y
Still a method very much used (perhaps the most frequent one). It is used }( ^3 K3 V, p. e# g9 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 W. n5 q/ D4 oor execute SoftICE commands...
8 J R" N; e$ k& n) ]4 w! |+ b; |It is also used to crash SoftICE and to force it to execute any commands
% h' K5 ^6 k) I& D+ Y; h8 _2 B(HBOOT...) :-(( 4 S: V6 A$ g9 [" H
; x) R6 a! s; `) m
Here is a quick description:" N2 T% w: m7 ~
-AX = 0910h (Display string in SIce windows)' Y* q7 D$ u9 ?7 H G9 a$ H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 J: v2 ?: ?6 `' F' H% l-AX = 0912h (Get breakpoint infos)
8 g- ?; c2 | P# {1 z; @$ P4 O-AX = 0913h (Set Sice breakpoints)7 R7 D @: T* j9 }3 v( W& f% |+ b( z0 j
-AX = 0914h (Remove SIce breakoints)
3 k" r2 C4 O4 ]; a! W9 G8 `) Z) v# T- h8 q6 X
Each time you'll meet this trick, you'll see:
6 j2 G, o$ }4 S$ ^-SI = 4647h
' W8 z" i; s0 \) ~7 B" ]2 W-DI = 4A4Dh* T2 M- k/ `+ A7 D+ `7 x
Which are the 'magic values' used by SoftIce.( i5 J% l9 P j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* P8 c5 Q3 R& L. E
& A! r) W; G2 H- U" @* O7 PHere is one example from the file "Haspinst.exe" which is the dongle HASP7 Y' K1 Y) H6 k" n2 ^
Envelope utility use to protect DOS applications:
$ {/ h& ?3 k, j |( j
. K/ k" m7 @; h, Z7 X+ C, g5 @+ f! k* J6 G: |" f( ~; ~! E1 E
4C19:0095 MOV AX,0911 ; execute command.! w" X, E/ a3 p( D) m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 V8 p0 N Z5 ~5 _
4C19:009A MOV SI,4647 ; 1st magic value.1 R% q4 O) z" k1 z7 d( y' ?, j
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 p! S0 _7 ?7 X( M4 ^" \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 G- V- ~# f( |* o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 t2 n; W* [. N, f+ E4C19:00A4 INC CX
$ O' X" @: J$ V; W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 h/ R8 t/ y! ^4C19:00A8 JB 0095 ; 6 different commands.5 g* u/ S: s6 V5 r- e* S1 p9 a) k
4C19:00AA JMP 0002 ; Bad_Guy jmp back." E- m5 Y) b% r. x4 r/ Q- b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) _$ {% M4 ]. {: s
1 A5 B+ Q' P6 O4 [3 n( R
The program will execute 6 different SIce commands located at ds:dx, which! m5 c1 ]8 E. f, d- E2 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ h- {& }; r/ ~& Z* T+ d r( e3 q7 `; E& f9 d# }. ]; r7 j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& G2 }3 Y2 r9 q% d
___________________________________________________________________________
/ ~% ^' k% E% m
7 H$ \0 o8 B: Q( z! O6 n8 x: J# ^8 t4 y# {* N" h" z- [# \
Method 03
# g/ D% A$ P, U. s. r7 r- }- b=========
; v! u9 q7 }/ c( H1 i; c" Y
$ U) V, Q T4 u! G; PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: C0 Y+ r- e9 {6 x) u(API Get entry point); l: [: r+ e2 E x7 f
7 w" x) e' F; ?& p5 E! z0 B4 C! G6 w4 Q" l+ M o: D$ I
xor di,di
C" I L" d9 ` mov es,di
, Z# h/ e! O7 ?4 z mov ax, 1684h & m) w R! O) j' e- Q2 R
mov bx, 0202h ; VxD ID of winice: ?# n3 I( h3 k2 k
int 2Fh
+ f) {' m+ J, f. s3 o mov ax, es ; ES:DI -> VxD API entry point( R! V! T+ P, |: O1 X
add ax, di
+ \* v% r9 v+ P9 H! |! Z test ax,ax" L" v' [, b' @* M
jnz SoftICE_Detected
3 M6 X0 h# Y- |6 _
c- N7 S. B2 k I2 w h___________________________________________________________________________
6 Q2 R% i& L. q2 A" w$ t
. D& l, A7 L7 HMethod 04, y' ]* B# j0 J' k/ H4 ]) f) o; x
=========/ ^" L8 B7 F2 e- L
: E1 c4 N9 G$ i$ [4 B+ F
Method identical to the preceding one except that it seeks the ID of SoftICE
0 R$ U% x2 |" g2 g5 [GFX VxD.
, E3 E6 C4 W @7 \# O0 R3 f# O1 u- R: w" j
xor di,di
" g( |7 V2 k' C3 h) I: Q: m mov es,di+ O+ c4 g* E p4 s1 X
mov ax, 1684h
% a' D0 x0 k: I$ p; ? mov bx, 7a5Fh ; VxD ID of SIWVID
8 y4 a: s9 h3 a; h int 2fh5 o2 Z/ {; w8 X) |. q' X% n8 b
mov ax, es ; ES:DI -> VxD API entry point
) q: J( |5 d4 o, Y4 h' K add ax, di% Q/ \5 O7 Z" S) y* Z" z( b9 s
test ax,ax
& T' W& R0 N0 U! {; A$ m jnz SoftICE_Detected
* a& z3 e& B" A: ?) A
5 h7 x8 E, ^% v! }9 D__________________________________________________________________________* {6 h& a" n. Q# G9 I" K
% G) j1 S( N& g6 P9 o9 X$ o
; s) H* c. Q8 z0 }% r( _Method 051 l9 b2 Y$ _- I/ `3 s4 W
=========7 y9 a$ A( l% T+ Z: ^/ e. M7 x% w
8 {$ W5 k" _1 ^Method seeking the 'magic number' 0F386h returned (in ax) by all system
. ~+ ^; [6 {0 A* vdebugger. It calls the int 41h, function 4Fh.
; M z0 c% A9 P% n' sThere are several alternatives.
6 ^ M5 {3 W& [; r& f$ p. b! z2 o! L# w
The following one is the simplest:
- l! T4 u+ v4 I2 X1 {* C) ^
/ x _% |: {1 ~, ^ mov ax,4fh
. N6 i" p$ D0 k% S1 q9 Y int 41h
* ^4 T b! P2 @2 ], G6 u( e- V3 E# y cmp ax, 0F386
3 Z2 M: I% L& D& s9 X jz SoftICE_detected
) G2 V6 h# |# U4 S3 U4 E
9 T$ p {5 r+ g7 U$ c5 S( B- \2 j7 _* B( o* r
Next method as well as the following one are 2 examples from Stone's 8 O- t) G0 G) }2 u- |6 K
"stn-wid.zip" (www.cracking.net):
7 [( I* F1 i+ v0 W
6 G* a, E5 `7 f3 A( L- m mov bx, cs
* ^' M, }+ E7 K' u5 K lea dx, int41handler2
7 z/ ?. n! {6 w9 _' V$ [4 t xchg dx, es:[41h*4]
& ]1 E+ D+ ^) l& G+ k L xchg bx, es:[41h*4+2]
0 U1 k a* C( W0 m7 { mov ax,4fh5 r+ {& g# P( l1 k! r1 Z) P. I; B
int 41h; f' W0 _" G% b
xchg dx, es:[41h*4]0 ^. J1 W0 P% l
xchg bx, es:[41h*4+2]8 s& U% W. U+ S2 n: S$ h, H+ M
cmp ax, 0f386h
* l7 ~* Q; e2 m8 U jz SoftICE_detected4 I. B* r1 I6 s. W
" ^) Y- q6 p3 j a2 ]+ n0 [ N7 @
int41handler2 PROC6 M1 m: @5 C# N
iret1 K3 w1 M5 D1 p+ @+ y
int41handler2 ENDP/ \' s" W5 M! } F
/ S" Y3 w# \- C8 V
% X2 \6 G" Y- ]9 P8 M_________________________________________________________________________) y* x# X8 Q/ |7 W/ N- d3 ?- \8 y0 C
( h& h8 n' b1 Q2 I: [9 w i
2 Y8 E: v# k- x5 C, L% _6 \* kMethod 06! R1 w4 P9 v! i7 ?: b
=========$ f% [) a/ @$ h1 R0 u/ V
W( ?; ^; Q/ V+ Q/ t, G: f1 K: v4 W
2nd method similar to the preceding one but more difficult to detect:& N. [# z; ]4 F" S; ~8 z
g/ M6 y+ q# v
6 u2 M8 R- i6 E# C- q0 ~% w0 U2 A) Bint41handler PROC
: g3 X U4 D7 n0 [) Y mov cl,al
7 T/ i( K! ]8 R. T% \ iret
9 X* d1 `/ M9 b: [0 qint41handler ENDP
8 M" M) G( U, Y' x
0 `2 Z. q7 A( ~( M4 F! w; X7 q; @ z& D4 E4 @
xor ax,ax+ T4 {7 a+ M+ F5 I
mov es,ax( F, v/ P% c! h1 t5 C, `7 ^
mov bx, cs1 a O( R% N8 z2 A6 d
lea dx, int41handler
9 }' _' ~# F& A9 l xchg dx, es:[41h*4]4 J3 a. ~8 e4 [( d: y
xchg bx, es:[41h*4+2]
# Y0 [# e, \6 L0 ~4 u4 M in al, 40h
' A. S. W. L/ D- |7 u5 _$ h xor cx,cx. U3 }: {# \2 I9 _; t4 E
int 41h
- Y& \" f4 ~7 Y \. @* B& D xchg dx, es:[41h*4]
5 J$ r" V8 }, y; E. s& I xchg bx, es:[41h*4+2]" Y* W) J' I7 `4 J
cmp cl,al6 ^+ W: p- c% z2 ]
jnz SoftICE_detected; o' Y' G q/ B: d& d% e6 X
; F" U4 p' I9 G9 f5 d
_________________________________________________________________________& F, o& _3 s2 l& Z, e9 j
5 K3 n. i! l8 }* H% `Method 07% t" e3 K+ }/ {, U0 G8 ]+ H& ^
=========
9 t7 V+ C; T9 b" A9 M9 n
1 \( Q4 H' ~, [# }! H8 ?Method of detection of the WinICE handler in the int68h (V86)0 M. R+ e4 Q t9 Q: Q" [
! ]5 L% w9 g5 M% E0 y
mov ah,43h6 i5 }4 q6 L% {( m$ m( c3 j
int 68h7 Y1 M8 w1 P: o# R6 ^- T/ T3 c
cmp ax,0F386h
' F1 D! n3 [2 ~5 d Q jz SoftICE_Detected
6 b- v. L& v% T; T0 n. ^( p9 z
' Y6 \5 [# Z" d, t2 w! g9 ~; ~! m2 m6 A3 N1 `& |" h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ [; N1 A7 b. j }5 s) g
app like this:
/ J6 G' t" @2 o4 {1 _* C6 n" `+ Y
BPX exec_int if ax==68
8 w( b- ]" S) ]3 @( V (function called is located at byte ptr [ebp+1Dh] and client eip is
3 w4 O' Y! [; s# s. T located at [ebp+48h] for 32Bit apps)7 V9 | g" B" ^8 q. N& j; P
__________________________________________________________________________
) B& k- ^' [/ j+ N: P+ f
: C7 G& ^( l' W- |! R1 L- U8 B d- E
Method 086 j2 N8 \" V5 c
=========
/ r( t; u4 }6 A/ V: e/ ~: e+ k9 h0 d3 d- T5 K/ @
It is not a method of detection of SoftICE but a possibility to crash the: K% f6 r `3 c: p: P) n7 b$ Z
system by intercepting int 01h and int 03h and redirecting them to another1 h5 F m- f, o, O
routine.. v. Y' _; @% ^, ~# N. N/ U2 ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 ^! q5 g7 g6 G
to the new routine to execute (hangs computer...)( S+ P8 X' v$ m* |, V( B# q
! B' @$ u: k1 i' J
mov ah, 25h
% h8 I$ f3 D _& z" }4 n% E& r2 j mov al, Int_Number (01h or 03h)
w* u0 g( i1 z! D, R" h' m mov dx, offset New_Int_Routine k/ ?' X, S' ^0 n
int 21h/ \3 ^8 B" o+ ~% k( ~& W
3 Z- V( L9 V* r7 v# D__________________________________________________________________________" {3 l6 T3 B! u' @. x# O" ?9 Z
[" n3 a- `6 F5 _Method 09 p7 m4 M+ O( w- ^& S' p3 ]; H+ L
=========
* a0 p" s- [9 `, B& C
2 R5 \2 B4 \4 S+ a, e, r% x- g6 M+ {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 m' m7 R& H7 a* I- I
performed in ring0 (VxD or a ring3 app using the VxdCall)." W3 Z! f* r+ Y- C) W X
The Get_DDB service is used to determine whether or not a VxD is installed' h' {' z0 g, W; X
for the specified device and returns a Device Description Block (in ecx) for
{/ V" e7 O# [# W; y* Y! lthat device if it is installed.+ k; K- `0 x: ^3 _
9 U7 b+ l- y- a" M- R/ w7 b/ Z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, X. ?+ S1 X/ q* ]0 M' _ g. ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 ?, a( ~% M" f2 s8 I0 u+ A* }9 Z
VMMCall Get_DDB) G7 ? {6 j0 p! }; I" F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 i P/ D9 O% x! [
1 @3 d& l0 r, _Note as well that you can easily detect this method with SoftICE:
9 |) V! ~4 H x& V0 l: @( L" g bpx Get_DDB if ax==0202 || ax==7a5fh
* f+ |: }( c, A, H$ B U5 j! `6 k1 d1 B0 t
__________________________________________________________________________
1 s: G; {/ T3 t0 i) ^: W |: ^$ N' n
Method 10% d2 ]$ L) [, F6 G7 N6 K
=========/ F/ l8 G4 Q$ H& i) U) u @1 I
$ f) p1 A P* \* m4 y/ i
=>Disable or clear breakpoints before using this feature. DO NOT trace with& d, A, v. P7 |: U9 _- J! P( q+ W
SoftICE while the option is enable!!# x& { t6 [4 c* @6 D1 r F
2 L3 T/ \% b M0 C4 u9 {; MThis trick is very efficient:
6 U+ _0 ?* e$ J' X: Lby checking the Debug Registers, you can detect if SoftICE is loaded
! j6 N/ @ S! x. u/ i6 U1 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 D% v' l% m+ I! wthere are some memory breakpoints set (dr0 to dr3) simply by reading their$ J2 s" a4 z+ @; b/ e
value (in ring0 only). Values can be manipulated and or changed as well' t3 ~3 I8 [/ `
(clearing BPMs for instance)+ r, _" M' Q: B: f a
- ]7 P" X4 S* s {__________________________________________________________________________: c9 v/ O! ]: Z, S
& B0 F! [3 R, `" v, Z) P
Method 112 P3 ?% B0 S9 n, _4 R
=========& t6 X6 q: m, [5 f6 A* K
# G4 t0 s- m DThis method is most known as 'MeltICE' because it has been freely distributed
( a$ P: K* r8 ovia www.winfiles.com. However it was first used by NuMega people to allow( R$ z5 \6 v) z! d1 v
Symbol Loader to check if SoftICE was active or not (the code is located8 D( c. x( ~) g X J) {- b; Y
inside nmtrans.dll).; J3 J" T$ y. F( Z' r3 s: C
. v& C9 |6 d7 n9 p% k: M. w ]The way it works is very simple:
# F ]+ b% m( ]* X+ BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ e/ z# O" O* E6 w' t
WinNT) with the CreateFileA API.
% X6 \+ Z8 C+ P X# F+ h7 j
. c7 \, ]1 E, l) L0 s' w9 i3 eHere is a sample (checking for 'SICE'):8 v4 z1 D( O1 m5 J
/ I% T% |9 a* gBOOL IsSoftIce95Loaded()" T7 b" h" z4 H& w
{
, c- v: I4 n: S0 s3 d HANDLE hFile;
2 M# S+ q4 V; B) k& o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# g5 T. ^2 ?; h0 R. }5 h0 {, N FILE_SHARE_READ | FILE_SHARE_WRITE,& E* v3 `7 j, c: m* j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" n" e, {! `4 [+ f% C" J
if( hFile != INVALID_HANDLE_VALUE )
- F8 _, v6 Y5 |) E- _2 ~# E9 x {
/ o y k" y3 q& |+ ~! } CloseHandle(hFile);; e; A# e/ {+ H* b( {, f
return TRUE;
" O* W. _& S- D3 L5 \" o }
: a; f8 q* W7 Y$ Q" d( G) G2 P return FALSE;
: T6 E. T6 o. w& @: l}
( o5 j* ?3 I, w* C1 P2 p D0 C1 O p
Although this trick calls the CreateFileA function, don't even expect to be9 r8 T3 j2 u3 O0 M2 O7 t
able to intercept it by installing a IFS hook: it will not work, no way!
4 w# L, O( F0 |7 uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ u5 H# l) C8 G. v9 x; A; o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' K a% ^1 o3 W0 }: x" o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 [) ^4 [: y1 D) w9 z5 C
field./ v; E: ~" t1 ~; e0 e
In fact, its purpose is not to load/unload VxDs but only to send a ! y9 i; [0 E/ o% C# ~9 F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& j6 s9 L5 C: B* W$ ^8 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( \$ C0 `% s% m& i# `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: t. D2 L# c2 x# D, u ~* [
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ j( [% Y- h- @% k/ Y* D6 D2 ?
its handle to be opened and then, will be detected.: S( j% x: y8 L' [
You can check that simply by hooking Winice.exe control proc entry point
8 f% L) s/ j- \# |# Rwhile running MeltICE.$ P+ ^( m/ v t4 V0 c3 L
3 C$ X& C7 p' @8 B% H$ W* j
0 Q% I& y! e6 s' o! T6 c5 R( r 00401067: push 00402025 ; \\.\SICE
8 ?. r3 U0 ?3 y# y 0040106C: call CreateFileA" h" h9 g2 n3 Z' p: M% O' B
00401071: cmp eax,-001
: g/ j) I9 _" d9 E# C 00401074: je 00401091
9 s) B% y* k7 I" j
$ A, }" J, q9 F6 U* X! T
( Z1 A6 ? T% CThere could be hundreds of BPX you could use to detect this trick.
4 X$ D0 r, B9 |4 y-The most classical one is:- F5 ~& f( e4 I( t% v) Q: ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% d* x$ r9 N- w& l *(esp->4+4)=='NTIC'7 S1 `. I! O5 W3 o* ^# l+ Q
- K9 u1 v; c/ ]( P! U-The most exotic ones (could be very slooooow :-(
6 w" R7 e. O( G, o* Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 ^, E4 N0 y# r2 J! N( i) v: ~+ m% q ;will break 3 times :-(
0 t7 U- p. w0 J
" y# J3 B; Z* k/ U8 f1 U9 r8 P-or (a bit) faster:
2 E- h/ j, Q% ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" u- x; z: a( P8 K
4 s& F. M3 J, E! U! n) M" W2 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 E7 U5 u8 C- N9 x; E5 g ;will break 3 times :-(4 y; ?8 f. g0 r: X7 S7 U
$ T1 i2 W0 J9 U% Y* h. Z( K-Much faster:; ?5 o) \' S9 g! e$ Y/ S; E$ L, H5 C: B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( \& G0 J# m+ o4 l
# J+ m# z) @0 Z% i0 r) S1 j& u* MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% Q, w, }5 N" j8 {, Dfunction to do the same job:4 m3 G* Y M/ X: q6 @/ O$ {
% {0 {0 {$ x5 E/ K, L2 R8 q5 g push 00 ; OF_READ9 {' @( z, Y: P2 Z' I+ O
mov eax,[00656634] ; '\\.\SICE',0
4 i. L& s; v3 N+ }- ]6 V$ T$ t! F5 C! I1 c push eax
& E0 F) ^ ~* h; L; ^, y& O$ o* q call KERNEL32!_lopen
' s% c# e5 N! _; z8 b- _ inc eax
/ v; I9 Z6 V' n" l' w# ^$ [. g1 A jnz 00650589 ; detected# I4 H: i9 Y) T
push 00 ; OF_READ
0 s3 X- {+ E) P$ N" n' N mov eax,[00656638] ; '\\.\SICE'
P' K% a( }7 a3 y1 a& ~/ j% p* ^ push eax' e# A, l+ @" `) P4 y/ m7 S
call KERNEL32!_lopen
8 B) Y4 u2 H, c; X) e0 j# S, T# n inc eax& k: B% a$ u$ \* J/ Y
jz 006505ae ; not detected
/ T% [. C3 X+ F3 M' o2 P5 ~2 `! C7 [0 Q4 X4 S& a: M' X+ n
6 K+ l6 N W- }__________________________________________________________________________
& O k) l/ [7 e- }8 h$ {: V" L G5 h, t, Y* Q. }
Method 12- j2 A9 m7 {- }3 @8 Y. }
=========
8 p0 l! r) N, j6 T% d" h4 S7 Q) E! Z
This trick is similar to int41h/4fh Debugger installation check (code 05+ p# b$ ^3 K& ^( u* e
& 06) but very limited because it's only available for Win95/98 (not NT)$ w/ V( I) F/ e& t9 [% t( |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- R! |, }# O, |4 I
1 f* e y I2 n# a" }' H2 [ push 0000004fh ; function 4fh) f" a7 p1 J6 k l3 X3 [5 x3 a! b
push 002a002ah ; high word specifies which VxD (VWIN32)
0 H7 V1 o1 X# |' c ; low word specifies which service
# w L: j W- f1 ~- Q (VWIN32_Int41Dispatch)
5 u7 L2 d8 D2 z" ?- X$ e: }5 l call Kernel32!ORD_001 ; VxdCall
6 H* A$ `4 r9 v, V A% B cmp ax, 0f386h ; magic number returned by system debuggers
6 E& } A1 W$ y0 U) S/ M jz SoftICE_detected9 M7 p) E4 L- |/ y, ~
, _, Y/ a1 E' \( O. y+ L$ P
Here again, several ways to detect it:" q/ e/ y( x' T; D0 W4 k0 Z& y7 K
, [6 Y9 n( R* }- d8 y, ^ BPINT 41 if ax==4f
4 O6 M0 a' l8 x" M5 b
1 i& _0 b/ b# ^0 T+ J& a8 r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* I! g/ @8 w' s" o
5 f3 e0 y& M, t; k' u/ \$ j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 N8 w& t# \6 J8 z, I0 g$ Y7 a( y
& U- u* {" [* K0 ]; ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, `2 V v# ]0 m7 @
m) a; T0 Y' a: }# q) j6 W
__________________________________________________________________________* {3 J0 y$ ~/ d
9 ^: b2 T5 E7 I, J2 OMethod 137 L4 l3 X# W& C5 R# c! H% s& f
=========
' p n, c) y0 y' U
+ @" v: u% z: u+ d3 HNot a real method of detection, but a good way to know if SoftICE is
8 d7 t" M8 n* U* @: ginstalled on a computer and to locate its installation directory.- ?8 M/ n' i0 f" v* X
It is used by few softs which access the following registry keys (usually #2) :! e1 o5 j; G7 A' ]# u/ u6 p6 M
( i2 [) N2 Z( T) o" E& S$ `' Y/ M9 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ j- }: v$ w4 I: _
\Uninstall\SoftICE0 F" s& Q# g0 [/ h4 B/ ^& j% x& `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 X7 I2 T0 A* [/ {* V3 x) Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ l* a; n- c$ ?+ w: l0 {2 T\App Paths\Loader32.Exe- }& A3 Q% Z1 V
! q2 l) n6 O7 i# N" ~0 L- @4 {( t( d6 e, S( \1 U9 B
Note that some nasty apps could then erase all files from SoftICE directory+ g o( s2 E8 Y2 Z/ G- z- B. \8 L
(I faced that once :-(/ J% w" q8 |. G0 f; a0 H
5 k" B8 P) s% }1 y' PUseful breakpoint to detect it:
, g, I- o, c6 k( ?' M1 h4 [( U( m$ ]8 x+ E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 n: L5 J/ [- m& t" k+ J+ \& {8 o* g* N7 Q3 o7 O4 L: n
__________________________________________________________________________/ L( Z( q0 j2 B0 i; G7 q
\, v8 H- x1 r% l$ R
) W+ g0 t1 m( ]( _, v
Method 14 M6 q3 E0 |4 e; t5 ]
=========
1 o$ C$ ?) w* ?9 E8 W8 x( O9 M% v- q. ?, n/ \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 r8 O% ?3 [$ J) m$ |is to determines whether a debugger is running on your system (ring0 only).
1 c2 x+ f, j8 r6 [% ]
% x- \9 G2 _9 L VMMCall Test_Debug_Installed
. r. C2 L& C+ [( a. G& A7 ]& x je not_installed* Z. D, o- `- i& T
6 L6 o1 H: F$ Z% j/ U! Z* W( R
This service just checks a flag.
) u: N c: q7 u</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡