<TABLE width=500>: Q5 t: P" V" D8 I; y0 G7 W
<TBODY>
: `0 X K" ?5 p# q3 z<TR>. _0 ^* |) }+ n! P; R% s
<TD><PRE>Method 01
, C2 z5 Y9 J% L6 | K, N=========
; T: C3 @& D. z Q+ G2 ?9 d& X, \9 k |8 k0 u2 a+ s! x
This method of detection of SoftICE (as well as the following one) is
9 `7 L% v2 r, w+ `4 B- [used by the majority of packers/encryptors found on Internet." I% }+ \9 h; u8 z& ?0 O5 h) i
It seeks the signature of BoundsChecker in SoftICE
8 |& F+ W4 h" y2 Y3 V1 b& n D! ]) ?- l5 f# k! ^! t& B& t# x2 F! T7 d
mov ebp, 04243484Bh ; 'BCHK'# A+ s; {; m+ w D8 z. y' y
mov ax, 04h5 t; I1 z0 U @; z
int 3 0 Q9 s8 ~- N6 B
cmp al,4
9 T: ?- R, ?: _* e# } jnz SoftICE_Detected1 @5 D. V4 R0 z* A4 g# l. R
7 ]- P- ]* c$ N' P2 ~$ }
___________________________________________________________________________
7 [4 w/ r! X7 k: G& O5 ]1 z, e) g3 x- t3 O0 O
Method 02
& B8 {& M7 N$ _" l7 U=========( c/ X# `6 L! P* r: r4 m) L
6 b3 z2 @' e' X2 w
Still a method very much used (perhaps the most frequent one). It is used7 K+ u/ B' H, b. r+ p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ { L( ^9 M+ ^
or execute SoftICE commands...0 g [' U% {- ]3 Z
It is also used to crash SoftICE and to force it to execute any commands S0 O3 r* D' k$ c8 h$ N
(HBOOT...) :-((
* J9 i7 k4 E3 [5 g4 ^. Q/ E. E4 e; x) e" C' w0 k' ]$ v) l
Here is a quick description:
6 J+ q" p" m7 N$ t-AX = 0910h (Display string in SIce windows)# K/ h2 H3 c* k! H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! B+ m7 O$ }4 p2 q; w2 ?! C-AX = 0912h (Get breakpoint infos)
- h- N# ^+ G: j; z- f- C-AX = 0913h (Set Sice breakpoints)6 }2 C7 L# Z" n- r8 I ?( m
-AX = 0914h (Remove SIce breakoints)
( J/ H4 W) ]- r
( P6 O1 g. k# H( s; _( NEach time you'll meet this trick, you'll see:' o ?8 }( |, J- N, ~. U0 t
-SI = 4647h
; I, ?8 j- R0 `2 i/ Z-DI = 4A4Dh7 p7 V8 t, A+ V5 [
Which are the 'magic values' used by SoftIce.% z# D8 F% W; I! z2 C& y+ X. N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 h, f* H& ~% w+ l- V$ p8 h+ C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 ]% m: P0 I# s/ U" WEnvelope utility use to protect DOS applications:
% R+ r+ P2 ~2 T S* H7 P. h9 ?4 h9 |. g. C( N
: ]5 N; ?- C9 i0 n6 g- l
4C19:0095 MOV AX,0911 ; execute command.
/ G2 ^2 b9 z( A$ e1 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; D; S) f) P M; c# A4C19:009A MOV SI,4647 ; 1st magic value.1 P2 J d0 E" ~) [8 D& l
4C19:009D MOV DI,4A4D ; 2nd magic value.4 P m2 M0 r4 F+ p- _- q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 I- w' v3 E" |" X6 S A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 K) X5 ~" O* L4C19:00A4 INC CX, T+ E# P2 j+ ?! Q/ h8 e: b) r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; p: ?8 L( ~7 q- |8 r! R
4C19:00A8 JB 0095 ; 6 different commands.
( d# y4 l$ `; [: S' B! c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ R3 T( K& d4 d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 X+ ?5 G6 F. f1 u- K) a
o, ~: r/ Y4 D T! C8 u# pThe program will execute 6 different SIce commands located at ds:dx, which' w% [5 v& p- S+ Q: I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ h' |) ^+ `2 x" ^- e& o
' Y+ R9 G, d/ x4 r2 ^" F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 L6 J6 c _! _9 a) ^
___________________________________________________________________________3 x G/ V) Y }6 L. D7 U+ z% D
1 @! i; b6 L! _9 n
: E, O2 _( R6 n& X5 @Method 03# F: f/ l; Y G) }& F
=========
; J3 b0 n( {6 ^4 D8 c3 o. l3 z/ n) z1 W$ V7 R/ x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ Y2 p, i9 k5 S! I(API Get entry point)
6 f% j! @5 F& _8 M, |
9 c& V1 d7 h! z( ~0 g4 P/ K' _0 H" n: X$ a3 _
xor di,di! s$ q% z% A7 x- }- \
mov es,di) Y9 g) h K' ~7 [" n" e- |
mov ax, 1684h 5 v E& v# J' j$ s
mov bx, 0202h ; VxD ID of winice
0 {& B$ O% t7 i2 C) d* m! a int 2Fh3 h3 P8 N2 B6 x3 r( [/ W
mov ax, es ; ES:DI -> VxD API entry point
9 i& ^1 R% k$ q3 a7 H) c add ax, di
( `( O% H$ |) W8 N& C test ax,ax3 u3 F$ i+ z0 @. x3 J* n# {: p
jnz SoftICE_Detected
( A; P" i; [" d' A5 j) B" o- n5 Y! v2 C
___________________________________________________________________________1 a6 q* t y: a% c, E" t6 x! P E
6 N( I. M: M4 a3 W" t6 E# O
Method 04
7 v, Q1 Z7 d. X* q5 h N Z1 `=========
3 ]4 y$ U. |- ?. Q, Z/ ?
9 d. K2 ?$ M1 gMethod identical to the preceding one except that it seeks the ID of SoftICE
; C. n8 U$ e1 C. yGFX VxD.
' U$ M% Q8 D( F# ^6 s+ D2 B( o3 n( p# _, b" ?+ h% W* w) w) u
xor di,di5 c2 T% h, Y- [$ ~" _# w4 k
mov es,di; D! ?3 |( X# A$ i I
mov ax, 1684h / \" J4 K" l3 P, u: S$ ~
mov bx, 7a5Fh ; VxD ID of SIWVID
- F& D# h; u! z, E$ ^ int 2fh
& w) e" W6 b% y8 x: a$ s7 f( L" F mov ax, es ; ES:DI -> VxD API entry point& Z& I+ \0 A+ @
add ax, di Y4 R# c+ X) s3 x
test ax,ax3 y8 @6 v) n& a' m0 Z
jnz SoftICE_Detected
! m9 A# ?1 o1 R2 G1 {% ?: O" Q. M' H* u, X2 N6 R4 {" u
__________________________________________________________________________
1 q0 B$ P2 F" `9 _ G# I0 G/ ]( K+ `) Z: e @4 O6 |2 e- u: h
* O: } j* D6 X# D7 D3 L
Method 058 N/ J4 K J( ?. _9 {% b' \
=========
) X8 z* L( B* c6 B. H6 [! R, y
' c2 }5 {" z+ g- |: m' O' RMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 r7 n4 C* X2 g# d3 v
debugger. It calls the int 41h, function 4Fh.
9 H! \- C! e) r3 ~6 GThere are several alternatives.
' h& {; p2 p' B+ p3 o% l2 k& _: G5 ~" w# ^: W
The following one is the simplest:% ]$ S5 W9 V1 P3 d
1 i; z& s4 S, n3 |! Z- }
mov ax,4fh: V) r8 n- n5 ?1 y; p# U y* i
int 41h4 ?8 o/ b8 }; `
cmp ax, 0F386
1 K+ |# d, m2 q6 k/ m& X5 ` jz SoftICE_detected
- M* J1 M1 N/ |# k! b: Z
0 Q9 `8 u8 O. Y( F8 e
8 z% d9 |7 z6 A1 x6 ZNext method as well as the following one are 2 examples from Stone's
3 _1 S% q. V" H& o3 a2 q6 H"stn-wid.zip" (www.cracking.net):
+ G/ H; b6 P, k9 f0 s4 o9 J/ ]- K! |% Z, L. T
mov bx, cs; I. M ]5 V, w) P2 n; q
lea dx, int41handler2( j2 z0 Z) I9 H
xchg dx, es:[41h*4]
7 x9 K8 l/ F; d+ I2 v+ }9 k& H. O$ G xchg bx, es:[41h*4+2]
+ }: \% u0 V3 I! H4 p& E2 K mov ax,4fh
" M9 M6 h! a2 D; c; t+ @ int 41h
; v2 N ~2 }1 P2 M% N6 t7 W xchg dx, es:[41h*4]
; v3 a# l5 Y% l* {& k' A. L xchg bx, es:[41h*4+2]2 D) _4 `4 g, H5 p& `$ z
cmp ax, 0f386h
8 \, J* n5 W" A* T/ }7 R1 F jz SoftICE_detected! X( J: r! ^ T; g% h) H
% s4 b4 T$ _+ _2 I
int41handler2 PROC5 T; t+ R8 v5 E% z
iret. t- h5 }7 I) k& a& `
int41handler2 ENDP
# s+ H) O$ t; @5 a, m5 m! C p4 j
4 p [7 j) G; F6 O' ~$ N% z8 v* F
# J$ Q, _0 t6 l" m" B2 i. X_________________________________________________________________________) N, p- ^& i: v8 |( B5 Y
4 @! x3 ?# ~" C# s* L' v% Y
/ g; n' b& V. a5 b# E0 [. R7 XMethod 06
( ^: E$ N' p4 n( Z* o2 h========= w* I# m5 u! b% ?' o. u3 W% H; ^0 ?
5 p" P, c7 F7 ]( L* _
% d( C* k, @, O! l5 X( l
2nd method similar to the preceding one but more difficult to detect:
3 w0 }) [( `- U- x/ e$ N' \0 J$ _) B! B$ Y9 d p1 T3 w# S5 t
! a3 G; q) u0 C3 l, ?* l( lint41handler PROC1 Y; P; X8 u( D0 j
mov cl,al
* ]' Y! L T0 V9 k* b' ~+ W iret y& ^6 D" T- t2 B) F
int41handler ENDP4 b' O3 |' n# k6 J g* l& r
9 ?& _( ?& A! k' j5 P3 W
. Y- B0 ^: P6 B! d7 r) d) n9 h xor ax,ax
8 C# D% V8 E$ X mov es,ax
3 p ^7 r3 V9 p0 ]9 X mov bx, cs' y n8 H2 I2 T! [. g
lea dx, int41handler
; L8 R! o. h0 s: ]8 R xchg dx, es:[41h*4]
; n9 y5 R* b% J& A xchg bx, es:[41h*4+2]
7 I2 ^% i3 e* A' S7 F6 H' _6 P in al, 40h- L% v" H, r4 e5 c' W) p
xor cx,cx
0 A$ @) Y9 S; p; O3 C4 J7 k int 41h
: j* M3 y2 b% p: R) q2 B. [ xchg dx, es:[41h*4]4 z8 m# |4 z0 q. t. G' ~; [
xchg bx, es:[41h*4+2]# I, W9 G( x- x) k" I! t
cmp cl,al
+ M+ S9 \1 a; d jnz SoftICE_detected
' @; U6 s1 A9 v% V/ p) S8 k5 o& C* R2 z% U/ n; q6 b
_________________________________________________________________________) S2 S7 M7 B' J4 |# D0 N
0 w. `+ M2 d: D- F- oMethod 077 K! s* D# {0 ]
=========
( K7 n' c2 _, x. [0 Q3 r( O% K' [( k) B1 H6 }, Z/ R7 `
Method of detection of the WinICE handler in the int68h (V86)
- `: P- X* J' |* y) Z% `& F R, I% z, d; t
mov ah,43h
4 ^9 L6 K3 m' v% D( N int 68h3 Z% f4 Y* t/ n: q0 ^
cmp ax,0F386h& T. H2 I' U- h
jz SoftICE_Detected: j* _, h' m( B3 m. i
3 I* [- A9 \) c+ @$ X. {* W
% M$ x C) k/ w5 N- k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) K. p+ {! A- }' X& @ app like this:. A# c+ t3 O; ^$ I
, }/ z1 L" e3 @8 M! i& M BPX exec_int if ax==68
0 v: B' g$ t2 ` J' I (function called is located at byte ptr [ebp+1Dh] and client eip is
6 U. k' \# z' u; k0 o8 u located at [ebp+48h] for 32Bit apps)
: h o% a8 ?( J__________________________________________________________________________
, a$ [* k' A7 o( S+ E9 P- t; j# q& {( v: [, w, k& P: l8 V
5 |5 ^! g% D8 q" Z* ]Method 08
, o( M5 w7 a' w; G1 ]9 F=========) |. I$ `0 q6 B' T9 M
i5 L' i/ X; M. P# cIt is not a method of detection of SoftICE but a possibility to crash the1 F* `+ p! H H3 B9 F+ P4 s
system by intercepting int 01h and int 03h and redirecting them to another8 `* \2 t4 G: ^) G# `
routine.
5 r! f/ j4 O" u4 {: ~) kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" W* R- d; D+ u6 W
to the new routine to execute (hangs computer...)2 q* s4 c! M3 a: H2 L1 `7 o5 U6 g
& k. E& n9 |+ b/ V5 v* j+ N2 ` mov ah, 25h8 e- Y9 d/ d% b3 T2 T" c
mov al, Int_Number (01h or 03h)% N3 e* Q G; ?8 f; ~1 H
mov dx, offset New_Int_Routine
. z t: X: q0 x0 C e1 f7 a9 T int 21h8 f6 F5 J7 s8 k2 l6 E9 B6 I& T
$ o4 h5 [; [6 T0 P5 m
__________________________________________________________________________1 O/ N* _9 y e) f' ^6 {! q1 b; P
: {9 d0 \. [/ [, E
Method 09
J6 ?8 x8 b* s4 V1 x=========
+ R4 ]" ~+ Q& @8 \+ A" k5 r1 s
6 k5 w$ c+ A$ q; hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: b( F& Y5 V& ?+ b
performed in ring0 (VxD or a ring3 app using the VxdCall).8 F3 b6 |6 Z* U, }$ D) M& R
The Get_DDB service is used to determine whether or not a VxD is installed
$ P. D" [7 d! O. {for the specified device and returns a Device Description Block (in ecx) for+ @3 o0 [! A2 l, C' @
that device if it is installed.9 u; n/ E7 s: I% a
- C$ d# v6 [; o# `( U) n, d. i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& Y& L% |* I. V) y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% }& C; a4 c- ?, ]2 ~" d VMMCall Get_DDB
2 d9 }9 h; ]% k- N* n- S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed ^+ A9 ^ a& ]( A* Y
! n) Y: G* u8 ?6 n/ f {
Note as well that you can easily detect this method with SoftICE: n, X+ P% M- `9 D& e0 \9 Z/ |6 a
bpx Get_DDB if ax==0202 || ax==7a5fh, _, \7 L1 t" [
' I+ x& c# s' @! X0 P
__________________________________________________________________________
& F% c N' F5 ]/ a
: x z( k$ s1 s9 b- ZMethod 10
. U6 X$ K" v) g========= T; J0 ]* j9 {: O+ A
O) k8 e4 @- F2 R9 q=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 O8 u1 j4 y5 D% f9 h SoftICE while the option is enable!!1 o1 O4 d, |) s5 D
: I) q- r/ O6 h
This trick is very efficient:1 Y+ {$ p$ A% M* K) G- j/ ^2 d
by checking the Debug Registers, you can detect if SoftICE is loaded* d5 |( s: }0 b V' V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( m; s' d: n- U" w, ^ X
there are some memory breakpoints set (dr0 to dr3) simply by reading their) Q: }0 _1 K/ T5 ?* C" m: Q
value (in ring0 only). Values can be manipulated and or changed as well1 z2 ~. C3 [: U% F) v8 ]5 r
(clearing BPMs for instance)
" `( z) V8 X8 S' x- n) A, P) i* T; |5 T, \
__________________________________________________________________________
4 W* u! |$ B: \7 p. t+ w9 K# S5 H5 I( Z0 b/ H8 M7 y
Method 11
8 E2 F7 i& X% u7 m; [- f; r=========
( z. @' D2 N. P* s
# N7 R" G7 E- s4 EThis method is most known as 'MeltICE' because it has been freely distributed/ q3 w" A. U9 E& k$ w2 K8 R
via www.winfiles.com. However it was first used by NuMega people to allow
3 o: r8 t) p$ k/ xSymbol Loader to check if SoftICE was active or not (the code is located
) X. s v1 W: k) S* W) Linside nmtrans.dll)./ o$ B2 y$ q! Q. @8 D- @- f
3 t8 S, H5 D: Y' G& ^* y& L
The way it works is very simple:
: g# K0 l I) l* {; ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 x: d& D- o! ~& p' G1 j4 F4 pWinNT) with the CreateFileA API.- [. P$ V' x: p( F U6 C
' [. G& A. E2 }8 S; V- R) u5 FHere is a sample (checking for 'SICE'):
7 d6 W- Z+ K) W
r/ j S1 y! q- U' \BOOL IsSoftIce95Loaded()
1 {: }" e9 I& c, W8 }" g' a{7 }& _4 l& [5 ^2 S$ K
HANDLE hFile; " |+ U( P; Q4 j; ^$ K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% r5 l6 }/ h; i" ~/ J FILE_SHARE_READ | FILE_SHARE_WRITE,
+ r8 ]4 F# r8 f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ f! p; _1 W, X; r' H1 Q
if( hFile != INVALID_HANDLE_VALUE )
6 d8 H" n9 P. j9 @# a {7 K$ D* G8 K0 o2 s$ \: H
CloseHandle(hFile);
+ X$ [2 K: w- n* u; ]8 { return TRUE;& w4 @4 p8 I' e! X# X7 O
}
: N* P& d8 q8 g7 i return FALSE;
( Y: A. r3 ^/ g" D% a}
0 [ H% m e" A! z$ X% }. z2 F" l+ ]$ j) F
Although this trick calls the CreateFileA function, don't even expect to be
! z3 p7 J/ V; i. f8 m: Wable to intercept it by installing a IFS hook: it will not work, no way!+ e3 j! ^1 v. @6 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 Y$ [, o- U" |' F4 q! Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- `% P& H( ~8 l, T( f5 i, ?. E" Q) A8 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: R+ B7 |5 U9 @( [field.
, S9 l2 x I: B9 [In fact, its purpose is not to load/unload VxDs but only to send a
% k3 @# Z% p" H$ v" z# k5 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* X3 k( [3 e( S7 _8 \2 Y7 w! Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 a. T1 S9 c+ }# B+ v& Y8 `/ lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 U$ n) P2 s5 \! B4 P) @If the VxD is loaded, it will always clear eax and the Carry flag to allow& O, W i6 E; m
its handle to be opened and then, will be detected.
) _" C# f/ v6 l- q2 e% oYou can check that simply by hooking Winice.exe control proc entry point- w q: P, W3 U
while running MeltICE.
% v- B( Z, R9 I: ?. Q( q$ @3 B. ^- H
9 ]" E7 j4 i6 I
00401067: push 00402025 ; \\.\SICE: H/ X' h- L+ s. p9 S) R
0040106C: call CreateFileA8 B3 B+ a2 O8 U5 Z, t
00401071: cmp eax,-001( L; U @! L; A
00401074: je 004010914 f- x: L+ z8 [ y! k$ `3 b
' i2 v, M" V8 E
8 x% @0 E" }1 g: F; z; s; G
There could be hundreds of BPX you could use to detect this trick.) D d" B g7 U6 ^4 [
-The most classical one is:( ?( } D- a% m9 G, H: z8 D9 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( L- f. ^/ S4 I1 Z! r2 _1 R
*(esp->4+4)=='NTIC'! c: f q! I1 Y$ t; L0 O
1 R$ L0 {$ z1 S2 h' w; H: |+ x! A-The most exotic ones (could be very slooooow :-() J1 T& C% _5 D( r4 ~- [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! H8 T( k/ t! \. y5 d% I ;will break 3 times :-(
/ _+ ^/ p) x' B \% p6 L" e( M$ b) I
-or (a bit) faster: , [" m) c; _& K, y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 T" {. B- l1 [/ S2 }! r: L: O' s# V0 {3 i* F5 Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 @) h- _' A% z ;will break 3 times :-(" u7 E3 q: ?- J; j! N8 g3 z" S
$ Q+ I; F" ?( T [1 F- f$ W-Much faster:0 E: @4 T0 c" [1 X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' v/ h& @- o, v1 F
# W" k4 F+ [( v& C: V, |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 M. q. J. I5 a0 Y! b: n! nfunction to do the same job:2 U J* H& i k& Y- m. e( B
: g F$ y0 [. x/ m z
push 00 ; OF_READ) s3 K( }( _& C) a; I. w
mov eax,[00656634] ; '\\.\SICE',0
d- O) m( Z% l' c, `2 R1 y8 o0 c push eax# q& @0 W6 W x8 l# y
call KERNEL32!_lopen0 q+ ]2 R# d/ ^
inc eax
8 ] S0 W2 I, |$ F/ l# n jnz 00650589 ; detected
. P9 ?8 q9 a' N4 O; n9 k push 00 ; OF_READ
! Z J# q$ t( O/ R: Z3 k mov eax,[00656638] ; '\\.\SICE'
; W+ v" {: R: D3 ~ push eax3 v0 W k O4 ^+ u, ?
call KERNEL32!_lopen
9 B2 K* t1 x9 N: } inc eax
* \8 y4 M. y$ V' ]5 C4 v/ J7 J jz 006505ae ; not detected
8 D( S& R! b& _' q
. i8 g8 }5 f8 z0 B
1 E0 Z: J+ k% T# E8 Q' B* Z__________________________________________________________________________' ]6 o5 M- R. z. S
$ g" y g1 x, [& g, A+ v& E* n2 }Method 12
0 O. r( t3 f* | Y' ?: T+ f' a=========
! W' V1 `$ Q# {# V, |
- C9 D+ Y8 U2 `1 W+ s; FThis trick is similar to int41h/4fh Debugger installation check (code 05
% {" q8 W/ |$ x5 U. p& 06) but very limited because it's only available for Win95/98 (not NT)
2 S" c/ L- P1 D6 mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 r, a! u: N0 c. n R" e6 ^6 x5 n5 ~. Q
push 0000004fh ; function 4fh' c. _* U) {" M
push 002a002ah ; high word specifies which VxD (VWIN32)
" [. N* p) y" H ; low word specifies which service, `, T' H8 O' e% I: Y. _
(VWIN32_Int41Dispatch)
- M4 k c8 c% @9 e( a% W call Kernel32!ORD_001 ; VxdCall9 {3 W3 I2 V$ c% F( x0 ?0 Y
cmp ax, 0f386h ; magic number returned by system debuggers* F$ P" b# ]: v8 o; B
jz SoftICE_detected
' Q U0 p$ c! K- X+ o
: x: S1 f& n: S0 s w' }Here again, several ways to detect it:5 J; V0 e+ @" F# p
9 N7 H8 y' ^5 K9 c& Q
BPINT 41 if ax==4f2 y- r6 W7 k; g4 V S3 _
- b' Y. f) M$ z9 V( g2 J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! i! _8 {; t, S3 g/ n, b* `* ^
" d0 s' T8 X7 F, A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 N1 v+ s+ t2 Z4 {; H5 Z" M: R
' `- A1 K% x0 w, G. ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" i, F" k8 e" m- o5 \- t& c9 X" q; G
# a* n- }8 @( h2 G
__________________________________________________________________________! Y2 A/ z3 I4 J. h* Q& `% d
8 I1 g0 W- k9 Y" i$ i& G
Method 13& P: q) C9 T j; Y
=========5 F. i4 ]. v8 Z. O, N$ o
- q( K5 U+ K9 cNot a real method of detection, but a good way to know if SoftICE is! o- o* F U! D" |% A: M
installed on a computer and to locate its installation directory.7 z/ H; i* x: G. e! z, e
It is used by few softs which access the following registry keys (usually #2) :
: O8 t; t8 d( {6 z1 ]' r! y& w
2 C( Q5 f, D- m1 h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. X; @6 X- G+ M4 {" n" E1 e' L$ ~6 c
\Uninstall\SoftICE
, c( I1 m- M0 t9 _6 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& b$ k: ^. ^1 b4 o3 ^7 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% S7 W4 ~ b: P: i
\App Paths\Loader32.Exe
6 }8 V1 h: h; J# O+ \
! n5 i# p$ l3 K: N4 `5 F; O
+ V2 q4 D3 x! I5 zNote that some nasty apps could then erase all files from SoftICE directory
# i) m% E; V4 k) _+ @(I faced that once :-(7 k: s0 n7 {3 i! E
0 W2 ?3 b* u: nUseful breakpoint to detect it:
3 }7 B% p) G0 [' \ m; f2 d0 M0 Z7 U7 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 U( \: [+ Y. [
9 b& P6 K: B8 l) R: d9 D$ P__________________________________________________________________________$ k9 I( n9 X- @3 W1 u; ?
( E! n0 N$ n5 N2 j x8 j/ z2 D/ l2 j. E, o5 Y& F6 o
Method 14
. v( t4 k5 Q2 b! `% R# Y. H=========
+ w, Y8 y% q0 ]; J% A1 E/ p
) F, g/ P9 K9 [6 K0 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ @ D D+ c: a; X2 p
is to determines whether a debugger is running on your system (ring0 only).' | n1 Y- R# d3 H, U4 ~
3 A. W+ p/ V+ O! k
VMMCall Test_Debug_Installed
- L9 u, }7 P. q a- X' D0 O je not_installed. J. A9 |2 A0 s! f, q
* r8 R; A% [+ n1 ^ w, U- O) ?- s
This service just checks a flag.
- s. o/ Z' m& Y0 F" e</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡