<TABLE width=500>
) W8 e! R* t5 k/ R0 S* m<TBODY>
* [9 d' F( b+ x5 d<TR>- Y3 X+ t. \+ T( y% k
<TD><PRE>Method 01 8 ]8 V7 ]7 K% E
=========. j5 l* e d3 ?+ J8 v
4 _+ J$ P/ @( |0 T8 q! pThis method of detection of SoftICE (as well as the following one) is
$ V" f+ z+ x0 M6 U9 `0 T1 [used by the majority of packers/encryptors found on Internet.. q7 u- U3 ?% n F
It seeks the signature of BoundsChecker in SoftICE) d- l: }9 Q, \3 E1 {& Z5 d
5 g$ D" n& n, Q% \0 d- } mov ebp, 04243484Bh ; 'BCHK'( i8 i& W9 `/ F& n0 K9 Y% _5 Y5 F
mov ax, 04h k: Q+ T. l! U/ H2 d1 ^
int 3 + M; M- L8 n8 a2 q
cmp al,4+ Y0 E& k( z! M6 ?* z5 {
jnz SoftICE_Detected) [' r7 _, x7 q8 Z4 Y$ w
% k+ p0 g+ u+ O2 E. u$ w3 a
___________________________________________________________________________
3 ?' u2 n o( X: O
# b! R0 d/ {9 b: YMethod 020 P4 b/ U3 D3 {2 f% H* B
=========0 u0 G) l7 Z6 {+ d( v! D& |
; f( S7 r5 {, k# T3 O3 A
Still a method very much used (perhaps the most frequent one). It is used7 W7 K, S) O! i0 M0 H- T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 \; F. Z% n! H' r+ D' T6 nor execute SoftICE commands...3 z- w% ]$ R) F
It is also used to crash SoftICE and to force it to execute any commands
2 J0 ?9 L2 L4 {) s- G' b0 d(HBOOT...) :-(( 3 A. Z* J. `" I# C8 { a
3 L% \# f9 {% } m" w
Here is a quick description:
- V5 C+ N+ u" m* |9 V5 e-AX = 0910h (Display string in SIce windows)
2 J6 o+ C# |: @4 C# U- G% h/ _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); P. i {( g! I. r0 K' m# I
-AX = 0912h (Get breakpoint infos)+ q9 _- R/ Y2 F6 M3 x
-AX = 0913h (Set Sice breakpoints)0 m% W1 C' W4 _+ h1 U, O
-AX = 0914h (Remove SIce breakoints)
' m, w f( O T# h$ B! ]+ v( S% }; p0 Y, P: |7 M. p! T. [% x
Each time you'll meet this trick, you'll see:* ]: g5 K" I& G y! D7 U, F
-SI = 4647h
& d+ N. @0 V2 _* z% w5 i5 y-DI = 4A4Dh' Y. O. @7 a3 m- ?( _- L" ]; M
Which are the 'magic values' used by SoftIce.
& Z1 \6 ]) S) ]0 YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ^0 ?. z6 g+ s
( g6 v C4 g, M" [0 f4 ^9 t* yHere is one example from the file "Haspinst.exe" which is the dongle HASP9 w! D3 B9 l+ k$ A5 F
Envelope utility use to protect DOS applications:
1 [! M+ X9 G, x* r! c5 b, E. f/ }: G! ~! L v# z
! g* F1 P6 w$ t$ U4C19:0095 MOV AX,0911 ; execute command.6 R- m C9 x# T7 M3 I% Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* a. K8 O2 @! p2 T t
4C19:009A MOV SI,4647 ; 1st magic value.# D6 s" N* \2 w% A( Y( ^4 W
4C19:009D MOV DI,4A4D ; 2nd magic value.! I# y6 u( _4 a. i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" T: C/ y1 n* ^1 F8 t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 ^1 v0 \, c0 _( ~9 o4C19:00A4 INC CX) [1 T: F4 m/ p' o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" L v) ?2 D5 e2 r9 m- L0 r
4C19:00A8 JB 0095 ; 6 different commands.$ P7 r$ [% x8 R( S3 \! X3 I% s+ N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ e/ S6 J5 F. H6 ~4 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
l! H5 [. Z. r3 T) d$ I
* k% z$ @' o, c3 GThe program will execute 6 different SIce commands located at ds:dx, which
0 k, O& o& ~. S' Z0 ]2 ?* Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- i# R' [! i* o
9 u. p m9 i( o1 s$ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." K4 o, B" ~2 x& S
___________________________________________________________________________
- ^8 j' _4 s3 y* V+ r/ e5 I4 f5 M3 l! G' U% o
! T$ ?3 `; r7 K: AMethod 03
8 h! L+ K0 r' ]=========
! A q- S8 U# B. N! r
" o# {0 R8 v& C- J0 uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- z* C- f, [1 @1 s, q, p(API Get entry point)
" W3 i9 z" _8 ?
6 o8 I9 x* O T5 o& z8 x" v% e6 ^# k# y/ U H' _+ A `
xor di,di$ v& f6 H5 G. B( B3 x5 P
mov es,di
7 d! p) }- Q: p5 p mov ax, 1684h . \0 O; M' G9 q6 F9 n
mov bx, 0202h ; VxD ID of winice
8 Q9 k2 ?. d. E6 a. J9 ~ int 2Fh
( L- J8 \9 C9 i g mov ax, es ; ES:DI -> VxD API entry point6 Q9 K6 V( V: a) h/ s# M7 ?6 e& b
add ax, di
! {* a0 ~, d1 Y test ax,ax( W6 z8 h& L% U& J# A1 U$ v
jnz SoftICE_Detected- ^( p. ?/ M" B! {: U, X1 r
, }1 ]7 N* n# d$ S4 @
___________________________________________________________________________
9 \5 }0 E6 t. l5 M4 w2 e
% `9 d; f' a) }* T% J/ S* b& iMethod 04
6 u4 e& _/ s; L+ J1 }" T=========- A$ G% u9 ] `" ^) J
2 k2 h* S m, L+ cMethod identical to the preceding one except that it seeks the ID of SoftICE) }! ]6 x6 _* Q
GFX VxD.
6 \1 _& ]! h) ^- C
- h% H2 W/ n0 v) ~/ W, N xor di,di3 j& Z3 l5 L( \0 W- q5 \& t
mov es,di5 U* w, b$ h% H' }. L1 @ m
mov ax, 1684h # c* A( Y) p! A2 `$ }8 {
mov bx, 7a5Fh ; VxD ID of SIWVID6 V# _$ b6 N9 y8 r( f4 ]! Y: G
int 2fh
3 ?9 W! E; c& S6 N5 ^: | mov ax, es ; ES:DI -> VxD API entry point/ ?: I8 [" q! {' q0 m
add ax, di, K6 m, \' C4 k7 H( ?- e; W" t3 X. _
test ax,ax' L* L6 A8 V( n* _- [
jnz SoftICE_Detected3 l4 K6 X; R( o2 w6 F6 w
5 [% E( X' |6 f9 O__________________________________________________________________________
% V! q$ k7 M( J2 {- z0 I0 Q
( n7 }6 W) T$ E7 e, M/ L+ ?3 v0 [/ I
Method 05# w+ ~ o5 s4 T$ B! K' [/ `5 ^
=========
1 j8 I0 \! _" {9 E- y' o, o
8 G e7 T8 i g7 O$ H" LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 @- P0 E* f4 S8 u3 sdebugger. It calls the int 41h, function 4Fh.
& F5 K% U/ O9 b, K# Z. J- PThere are several alternatives. 8 S. ^7 ?9 ^- ^& L% L/ x9 H- q
$ Y0 ?+ @4 B; h2 H' }0 Q/ D, K' S" {
The following one is the simplest:
0 N( Y3 K& u0 `% @3 V' [" @% i2 B& C& {$ A
mov ax,4fh
5 a: C1 j4 t j e6 z; I+ F4 `3 \ int 41h
" ^/ I7 d( [8 E& q9 P cmp ax, 0F3863 a* t4 s8 Z( E+ p! L
jz SoftICE_detected
+ F; B P( _' t; z7 n: {5 b) v- x$ g, c& L
3 H+ m* h4 c- b- {) ^3 U) ?0 \Next method as well as the following one are 2 examples from Stone's
% |. B- o7 u+ y# y+ B"stn-wid.zip" (www.cracking.net):, H+ R1 ]1 \- ^; t; A C- k
2 [+ b; A3 K" B2 T" C' _5 o) L mov bx, cs
. |# O( D# N: o) m3 f lea dx, int41handler25 {( D4 ^& Z6 g2 y+ }, g2 I
xchg dx, es:[41h*4]2 h" P' I: P$ h: S% F5 w* `/ A
xchg bx, es:[41h*4+2]0 P1 j0 i* R4 y8 z8 [& y) e
mov ax,4fh( x0 H! U$ P+ U' U% ]
int 41h
, }# y) P) d' J8 A7 d* k xchg dx, es:[41h*4]; ^2 j0 X- a; K! S6 u' v: b0 C, ?
xchg bx, es:[41h*4+2]
0 d9 z" p! [6 l$ O) U+ y5 P/ L6 I# O cmp ax, 0f386h$ q$ N. ?$ D5 t
jz SoftICE_detected
9 p3 e" I1 N# A$ g- |- Z: Y. V/ B) c, o' ?5 T
int41handler2 PROC
7 r- g; Y, o; F; J! U iret" q9 W j/ U+ {; {; L1 n
int41handler2 ENDP, B1 U3 L$ o3 P. d' G' o
. |" j0 Y; t6 f2 f2 `! f0 m0 p# d" e" H% u
_________________________________________________________________________' p- Z' P8 @/ J+ O' B
% w- H$ p. ], F d% q9 Z
6 b1 L, c% l( p% K+ a
Method 06 ~- d2 A( g) | ^/ Y
=========( ^9 t2 H8 t2 v
! ]$ p- n4 Z9 ^. p& U2 E" G
9 h" S" ~- k3 W7 J) ~
2nd method similar to the preceding one but more difficult to detect:0 I: T2 }7 z) X1 w U( q) t8 ]3 `% \
. @9 Z* H# O7 k# l& n- P( b+ ? r" d+ v
int41handler PROC$ b: j" |2 h h p; o& a
mov cl,al; o3 V% ~# f- v: B5 L8 A% L2 b
iret; S2 q* n' G' y2 S4 q* \
int41handler ENDP
6 R5 `- H/ c1 O; m$ }2 S7 X2 n* f5 z
4 v/ J, W& J$ J+ l4 U; I. _( t
xor ax,ax4 w$ G# g5 `( m
mov es,ax
& N6 ^+ L* \; _ mov bx, cs1 D5 @2 j2 O d, H
lea dx, int41handler6 J4 k, N, \' b7 p7 W* e e
xchg dx, es:[41h*4]4 g( s+ I* Y; W# \) {
xchg bx, es:[41h*4+2]' n9 ]1 O) N/ Z6 u) o
in al, 40h4 o% b1 |8 ^* z( u$ x+ s- J
xor cx,cx
, d4 ^6 z- M' _# I% \4 } int 41h. T6 `6 b" V# `/ D0 w- }
xchg dx, es:[41h*4]% b) z/ P8 x/ V
xchg bx, es:[41h*4+2]/ g* ?/ P% v$ p# r/ t4 o
cmp cl,al( O7 x$ U0 V" `' z0 x- {: Z9 {# A
jnz SoftICE_detected
% C( W, L2 j9 h. ?( _. ^4 [* M
# {, H* J1 _, a- M. K% o_________________________________________________________________________' f' j$ E5 b V3 m% U$ y8 o
3 ] ~, g% N4 P% B; I
Method 07
/ ^% M! W0 ? y. u6 I% q' Y=========! O$ v& b" x' i4 f# t' h
0 e( ~7 i1 ?. Q- |5 A- H2 Y
Method of detection of the WinICE handler in the int68h (V86), `' c- [# u5 P9 m' z/ c! n; R; k
2 J1 O4 ]7 \( { mov ah,43h2 x3 ]* e& o# M) ^' V/ `. t
int 68h; W+ }+ n: ?+ b4 O; e5 B4 f
cmp ax,0F386h
3 U5 e$ G: ~/ V" |/ K% ] jz SoftICE_Detected! D8 K3 i4 Q) ?; Q! e f
; V' S) l$ E- L) I
1 W& l6 j. `- v" h+ Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; O/ A( Y/ g! w
app like this:
9 X( b7 m/ u1 b0 C9 C* F
" R$ q8 y8 H* ? BPX exec_int if ax==68 D5 Q0 O% [4 k- L6 o# G1 m* j2 y6 q# K
(function called is located at byte ptr [ebp+1Dh] and client eip is
* @( P5 } o$ J) q3 {6 W$ U4 J- T located at [ebp+48h] for 32Bit apps)
% x' F& ] m% T6 y. M" \5 {3 V) D) g__________________________________________________________________________2 x1 g% t" V! }9 A }& ?
& w P- H8 v& i
' ~5 C* N4 ? Q5 a0 G/ Q& eMethod 08, ]3 y4 {2 D& H) D! H
=========# m) @& p; J$ l+ b+ W1 e
2 F+ r: ?1 S5 d f0 cIt is not a method of detection of SoftICE but a possibility to crash the; t* {* K/ C$ z7 @% k! N
system by intercepting int 01h and int 03h and redirecting them to another
& R3 M0 X! F4 K5 E. Q5 \routine.
: Q9 G7 z5 ^% n1 X" IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 e4 ?9 i1 Y- }! I! ?+ `) T( gto the new routine to execute (hangs computer...)- y K6 D" a% e& Z& s6 B
. w2 B4 X" l6 K/ l% n
mov ah, 25h
7 {. T+ e7 A0 M8 f6 X mov al, Int_Number (01h or 03h)4 i" G" y* T5 F5 o" ]4 ^- x
mov dx, offset New_Int_Routine1 `+ `. k5 H' k0 X
int 21h
\6 _ k! \8 y4 a
], C' l. H9 e3 B$ V__________________________________________________________________________
, U$ v/ r: t! ~
( [1 V; x8 S/ i; xMethod 09
0 F, z- A5 n2 i! k=========- i c& a( L+ C4 N6 k
( v; x& Y# F7 u5 o/ N: rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. Q6 C3 r( E& E, j, _, A# e8 {9 M4 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).' ], O' ?2 H; E) j$ y
The Get_DDB service is used to determine whether or not a VxD is installed
1 L0 E& S+ z( y! Gfor the specified device and returns a Device Description Block (in ecx) for- c+ X9 |# O- p; k
that device if it is installed.0 x# r0 q& L+ f; O/ }% A
; e8 {/ N' ^$ x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! h2 Z; o0 n6 K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" L2 |: K+ y; S& i, X( F
VMMCall Get_DDB9 A5 Z% I# I/ u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! H' a: w ]7 V3 r: W3 s# \
0 L3 N6 W* i+ F3 rNote as well that you can easily detect this method with SoftICE:
6 _* e+ r, {$ h% A. \& H, L! n( | bpx Get_DDB if ax==0202 || ax==7a5fh
7 ?9 g: k8 H1 G% W6 o; x
) m7 p' r: K8 t3 a) H+ q__________________________________________________________________________
0 I3 d0 c5 J9 J3 J9 i# K) B# O7 g% q( X; f9 `5 |" Y3 x; \
Method 10
2 A. E: V5 ~8 L; Q=========7 J* t) ~$ M. B+ R7 Z
) K& K% ?& X4 ?, B/ Y=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 x; f3 h- u }8 M; O" h SoftICE while the option is enable!!
6 |; L- S! }2 {0 I3 s! N) s9 n6 X; A
This trick is very efficient:
& F( U+ d0 `# P" e6 e/ Z5 Pby checking the Debug Registers, you can detect if SoftICE is loaded) q' f7 q* h+ M6 e: O- b9 Y9 M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 R9 l! Q% g' [& l% L9 T- Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% u1 ?3 i/ I3 R; Q$ F3 X2 yvalue (in ring0 only). Values can be manipulated and or changed as well ]* x* `- i& L9 C @
(clearing BPMs for instance)
3 m8 M6 @. ~- D; ?3 V# {! x' p/ A' z. R
__________________________________________________________________________
( \# T* g# g- g# h; m. q* y( @) @2 }! z$ B( O! T
Method 11
" x: p2 q9 k, f- y=========) V: j. n0 L6 S8 V* }2 f! a
* E% h6 y/ z2 P u, b. Q
This method is most known as 'MeltICE' because it has been freely distributed
7 D9 {. x) z0 \via www.winfiles.com. However it was first used by NuMega people to allow
1 m3 K# {5 Q7 ?. n% PSymbol Loader to check if SoftICE was active or not (the code is located* ^6 E: a0 }7 J0 A
inside nmtrans.dll).
4 b0 }9 X3 T4 D- F$ |& q6 ~3 Z* c- K( A# }
The way it works is very simple:
3 J/ ^1 ^# W; W. c2 |2 t* UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 V/ b" d8 F$ Y/ k; e
WinNT) with the CreateFileA API. Z8 K$ u5 D8 L
0 y" e1 H# a# b7 w
Here is a sample (checking for 'SICE'):* E" }2 C" F" J% E
" O1 j: T' n4 M
BOOL IsSoftIce95Loaded()
7 M! @, Z: h8 d& s4 D( | d4 o- k3 ^{
* t# P- v/ v$ z) c. T HANDLE hFile;
* |% e2 Z" u8 L$ C' P$ ` i3 @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, U$ ], L4 C1 C0 x5 R4 }* q FILE_SHARE_READ | FILE_SHARE_WRITE,6 h, T: Q0 j, n4 m( f8 r7 i& Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# X- } c$ _- @/ ]1 z: J7 j% ]
if( hFile != INVALID_HANDLE_VALUE )
( m( b9 g! s9 N1 g {
1 @/ v) `/ m2 e. O: T CloseHandle(hFile);' ?. v! {% d5 a% F2 g0 i7 n& b
return TRUE;
6 Q$ e; O+ \6 H" G }
! @# {+ k4 n- m) U" g return FALSE;
1 v+ ^3 o+ e0 v8 ?/ z- i) w}' P' J" n9 l" _; v
F1 s# l% q; @% V
Although this trick calls the CreateFileA function, don't even expect to be9 w4 G* o. t: o! R8 O
able to intercept it by installing a IFS hook: it will not work, no way! `' \9 }4 R. i& X5 N6 u+ U% w- a( M6 ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& _# v: `" l. a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 n0 ?: t2 B3 g* [ Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! |: n% Z: X0 ^4 kfield.- i( \1 C" O) Q# b; N
In fact, its purpose is not to load/unload VxDs but only to send a
; W9 D5 B" l1 Y$ g$ i, T5 _6 mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 ]6 H# \7 [4 a% N# j) l8 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 c& G, i( i$ v8 \' { |# K( V& ]* Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" n5 i |+ q( ?( EIf the VxD is loaded, it will always clear eax and the Carry flag to allow# \- b8 i% N" n8 W, W- i7 ?
its handle to be opened and then, will be detected.
: [0 T% M, D0 S: WYou can check that simply by hooking Winice.exe control proc entry point
/ B4 j2 Q* }; @8 b/ Twhile running MeltICE.
( v2 b' r8 e1 o6 d* ]! r+ _- ]0 N0 |6 t7 h1 R# g7 s1 a& v% B
, F( D2 a, ?! `1 Y$ X( x1 a; y6 `. U
00401067: push 00402025 ; \\.\SICE+ C7 P% H+ O( C* A- J2 d2 _$ O
0040106C: call CreateFileA
( f8 \$ V x) I. g; Y7 k 00401071: cmp eax,-001
, }4 ^3 i0 v1 n* V% r7 ? 00401074: je 00401091
( c* w' o7 g7 g7 L; `/ e* Q& @8 D; q, m1 _
) h* T# t$ C2 dThere could be hundreds of BPX you could use to detect this trick.
; q! T) Q; g/ U- N/ T+ d% E-The most classical one is:
3 p; x0 t" \0 f( L4 H1 ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) H$ h4 ]: S3 \9 m( f% i *(esp->4+4)=='NTIC'
0 u) D) S' ]# S; Z# ]; W; i+ o' L! L% r
-The most exotic ones (could be very slooooow :-(
A; d+ r! s a4 q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* G. c4 Q' {) t ;will break 3 times :-(
& _9 h8 b- u" ?% Y7 k' }; P6 o3 B/ G8 j% j: z
-or (a bit) faster:
2 m1 S0 w' H* c# N# p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 Y1 K" `& m2 e& r
2 ?, J" [5 {/ N5 h0 x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 n! L& I/ y, ~2 X ;will break 3 times :-(+ ?% i4 t5 x! u+ I
: A; b6 C% M6 ~( Q, j- t-Much faster:$ _: X% |2 ?4 ]; D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ `* k8 `/ I: u- P4 l$ _
; a$ o5 u& K; y( ~! O+ mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 L, ]' g% {2 H) Pfunction to do the same job:; J" Z! w6 k/ C$ A$ ^" G
! R/ O8 b& _! G D$ {3 `- x
push 00 ; OF_READ
2 S/ }9 U, N1 C8 d3 | mov eax,[00656634] ; '\\.\SICE',0$ S. O5 \3 C" @" t
push eax
- {8 a1 Y! N2 }/ f$ u9 R( [9 ? call KERNEL32!_lopen
8 ^8 e( [5 N1 v inc eax7 L7 K) }* H) }7 y4 t9 s7 r. Q. K
jnz 00650589 ; detected, n9 i% C9 _8 E
push 00 ; OF_READ7 i9 s3 c" g$ y% e# |6 A& u
mov eax,[00656638] ; '\\.\SICE'/ D5 d! C. W/ n4 X" U- B5 h$ M
push eax& _4 }$ k% `+ B+ ~3 X
call KERNEL32!_lopen
; K5 Q5 p: y5 c# x! B. l inc eax
% m4 _2 R5 t. C; H3 e5 | jz 006505ae ; not detected
* U3 Q8 S; J* @, X2 T$ \) }! D' q' Y) `' {( t* C
/ t2 M7 K2 x$ v" g& d* ~
__________________________________________________________________________
% M( f ^. T5 J3 `- [- j1 Z
' Z, `& d! X- u3 \# S/ AMethod 122 e# H/ G1 G# d( b
=========
& x2 G$ T- E: E2 K% ^% |9 {) r! t$ N R8 s! a9 e
This trick is similar to int41h/4fh Debugger installation check (code 05
; e! z2 I2 X8 ^# k" S, h% p: Z& 06) but very limited because it's only available for Win95/98 (not NT). g: _$ U2 D6 x6 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 p* [% N; B( x: S4 h, t& C( Z
6 b7 j% N8 ?$ ]$ R9 b8 g$ @' ` push 0000004fh ; function 4fh" s$ A U' |& E ]. ?" e$ ~
push 002a002ah ; high word specifies which VxD (VWIN32)
' f$ T6 l U2 L$ }2 h- h* Z" o3 Y! b ; low word specifies which service
# _+ m" T! i1 Z (VWIN32_Int41Dispatch)- l7 Q( C- s" i- u/ J. v# B9 k7 \
call Kernel32!ORD_001 ; VxdCall! S, _" v2 q+ L1 v U
cmp ax, 0f386h ; magic number returned by system debuggers
+ f8 _4 Z1 q( X7 H2 W jz SoftICE_detected( ]4 T* h6 Z- b! b: M" h
! _" `5 Q5 ^3 D: R. V( l; @8 k& v# xHere again, several ways to detect it:' y5 a) N; u" G+ `6 z& C
" o' H. W: P3 a1 j8 P) G" @: V3 s
BPINT 41 if ax==4f" X! c3 E# ~; R1 E( S1 ?3 }
0 n8 q5 `* D' f4 c/ G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 i2 p+ \5 B {: }: r: B- L( ?
, D1 z( ^1 a. ~; r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) k; z+ L# ]6 p& c
0 G4 g1 C! |9 ?7 g. b% B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 x: U# S* l6 M5 J& [! I
5 }! p ?3 d8 K+ r! D. L7 Z__________________________________________________________________________4 B' h# ]$ l6 M1 D1 N7 Q% m# S
% f8 L D7 [, |- ^Method 13
) x( i# D. Q; K, [=========! ]1 W2 y2 g/ l Z; S
0 u6 |% A+ J' A4 _& z2 { VNot a real method of detection, but a good way to know if SoftICE is5 }' n6 p* q4 j" x
installed on a computer and to locate its installation directory.: p5 p9 p7 C% R% B, {& \+ T
It is used by few softs which access the following registry keys (usually #2) :
0 ^4 U4 C/ E4 ], s
7 H& {' S) h! \2 X9 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# m$ S. q6 ~% I( q7 p\Uninstall\SoftICE" ^! i' U# n/ T7 @6 J( y6 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ l1 N! F, S* D9 w# L+ Q- [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
X- M3 N# w- i* {0 d5 ^\App Paths\Loader32.Exe6 R$ `/ w) i4 t% s
9 \. N T0 U) ~; r/ K, h9 {5 W' i+ U4 E8 a& E6 @
Note that some nasty apps could then erase all files from SoftICE directory4 s9 c. D5 q% w+ ]
(I faced that once :-(
4 Y% @. ~/ ]& Q
9 x/ e0 U6 i' m HUseful breakpoint to detect it:
! q7 j, |& O# g! E+ B
/ N5 A0 R0 z. {4 D" @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ M% t+ q7 h+ s: C! a- j# u
* V: l) V1 v& W/ I0 Z9 @9 n
__________________________________________________________________________3 G$ A9 F0 g* d9 l3 F/ v" Z" |
$ n) L4 a8 T* k! J
- r8 v! J+ T4 U; Z( s/ x! J4 ?
Method 14 . n0 t* L. x1 z f0 H# [
=========
6 H j& B& ?9 q3 D7 ]! d5 C9 p5 O* [1 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 j# Y# C/ d( q1 H3 ]/ D* M
is to determines whether a debugger is running on your system (ring0 only).- r2 n- A9 @' x) x( _
, ~. ~2 `* y J7 b VMMCall Test_Debug_Installed
: C4 } u z% F/ X0 W je not_installed
) @7 ]; ]2 f( {, g7 m. a: @. s+ L; d1 v2 T$ }& j' N
This service just checks a flag./ y* f/ s: [" ^6 I f. g& w* m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡