<TABLE width=500>
# g6 o4 ~( C+ z<TBODY>6 Z2 n4 C% H# k* F6 R/ n( J
<TR>
+ ^( X8 H& M4 K f0 p$ Z+ Z<TD><PRE>Method 01 4 h, W1 k) n3 d5 b \9 ^
=========7 i6 y/ z% v1 w# g! D
6 |3 J5 S, c6 J/ o# a- j
This method of detection of SoftICE (as well as the following one) is
# `0 f( x& Z" r2 z9 l& Y5 zused by the majority of packers/encryptors found on Internet., e2 j. a/ n$ W( U! z" Y( L5 t- ?
It seeks the signature of BoundsChecker in SoftICE7 ^2 j4 D1 R: O: q( Z Y
9 ^) q, X( ?/ T mov ebp, 04243484Bh ; 'BCHK'
9 f+ h4 E( ^9 K/ J6 X mov ax, 04h
. }, p7 }& x7 P& ?: \& `! p int 3 ) l0 K# s! U" u: q* U5 g
cmp al,42 A8 [8 h5 [- N& o/ q
jnz SoftICE_Detected5 B+ R+ w: a4 h% b6 b$ W1 w
C* W9 Q) R8 Y' y4 y* o
___________________________________________________________________________8 ]3 g/ b: I; G* Z0 u
. K! e, P0 [, eMethod 023 e J6 t! ?5 C7 Q7 \* r8 g2 c
=========
7 ~, P/ ?/ X" t% I0 |! U- e
. c- p7 k) w- AStill a method very much used (perhaps the most frequent one). It is used0 E) r* s3 y" `- \! }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," b; P# z: n. W8 {
or execute SoftICE commands...
2 `2 |. d% B0 v. o PIt is also used to crash SoftICE and to force it to execute any commands
d: E2 ? x' J. }0 V; }(HBOOT...) :-((
# a+ A0 O, k3 `: {! h' t) @$ h' E6 s5 @$ {" y0 S. p& b
Here is a quick description:
9 r# I6 G% L- N; {; Z/ W-AX = 0910h (Display string in SIce windows)
* r; g/ X+ ?7 G+ `0 U- l5 W4 z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 {6 @* n( g1 X! c3 x$ V, C-AX = 0912h (Get breakpoint infos)
' N; I7 d! S& z) a" n-AX = 0913h (Set Sice breakpoints)
5 N+ Q& H3 I5 k-AX = 0914h (Remove SIce breakoints)$ v2 x9 m q) |# _: Q. t
m" g* h. c# n6 X3 S# u& i; h& o
Each time you'll meet this trick, you'll see:1 ~4 R/ V! u, G/ O# X" [! y
-SI = 4647h& s; ^3 p6 k0 o1 {- j& M8 P- {9 ?
-DI = 4A4Dh
L( I) W! b- D& XWhich are the 'magic values' used by SoftIce.
% m9 c, x$ h: L# s7 V& d E9 e) RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 V- E( ~' z/ D) q! N9 X. o
! ^) Q9 [/ C# I# B& x8 QHere is one example from the file "Haspinst.exe" which is the dongle HASP
- f) M8 @1 ~/ `Envelope utility use to protect DOS applications:' C/ u3 h# |' p6 n) @+ u" P6 c! M3 ]- V x
# A/ R0 D( R* P( i
5 |: l) ?; L5 c; [. [: N
4C19:0095 MOV AX,0911 ; execute command.
8 w5 _- ~4 Z+ Y- M! m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* H& T) w, x5 w( i" O; ~# j1 k1 ~. ~
4C19:009A MOV SI,4647 ; 1st magic value.7 e- r# |* Q2 U& c6 ~
4C19:009D MOV DI,4A4D ; 2nd magic value.& L; R8 \: N0 X0 g' x6 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! g* [& u2 V; U( V6 V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 j7 U1 `8 s$ g( A- W4C19:00A4 INC CX
8 o2 H7 p, d/ w/ j4 \' v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' I% T8 I% _6 }0 s3 C4C19:00A8 JB 0095 ; 6 different commands.$ e9 b1 ~6 A# L% i2 N7 _' \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 e/ U$ T% h8 o$ d' K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& `# M4 i& d1 z" R: [" d5 c
# N8 b& v7 m+ v( o* ]0 hThe program will execute 6 different SIce commands located at ds:dx, which
' n9 [# A4 Q/ R" l6 `2 m4 r( _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
e0 C% F8 [6 @; |4 Z3 r; F
! }6 j7 S0 F5 z% g, L: p6 [/ k- N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: V3 f( H: o2 ~# M4 j. g1 T9 j
___________________________________________________________________________& ?9 j3 W% c5 ~: h1 L* k$ {6 ]9 E
. o0 F" Z0 _2 | T) e2 T/ Q
1 }; ]- i: C V) b ~Method 03
2 M. D9 X( Z! _/ B" W4 W5 C=========5 F9 L. l @: w3 k, B
/ h) h s8 Z7 g" y' Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 r) a1 N4 O, x$ d* U/ {3 Z3 ~) X(API Get entry point)! a& K5 T7 ^" a" s" v& E
0 U1 s& A* V- S- i5 ^: o) L' X( ?9 R- a' x, T. K- Y& V3 ]+ W+ x
xor di,di
- V: D( g5 l' o4 D9 h; @* A mov es,di
8 m$ K# s2 F. G: `( [ mov ax, 1684h & x! ^( U3 ~, W1 g
mov bx, 0202h ; VxD ID of winice' {. \- C2 L; x( B
int 2Fh
3 N+ S8 R6 r/ f/ P/ } mov ax, es ; ES:DI -> VxD API entry point6 p# B5 ]2 h& i4 {5 F5 k( `
add ax, di/ j! n1 Z" W* P
test ax,ax
3 i* R- E( ~) N, E1 L6 F9 c$ w, ] jnz SoftICE_Detected! Z: b$ X A2 c- e; N$ u
' U) O U B2 M
___________________________________________________________________________
6 D7 N# r% f t" B: U% V/ L
; ^) r' I, i0 B ZMethod 04/ G. h7 }- y' B
=========
& U8 }: I5 F7 ^* r
) _% l6 v9 e% b' c1 t) nMethod identical to the preceding one except that it seeks the ID of SoftICE0 b6 A2 [. s# N4 Y- Q
GFX VxD.
- B+ [. D5 D& e; i2 F5 T( _
) P1 J, x, R# m xor di,di, v% }5 {5 E2 W% K# q
mov es,di5 `# p2 a$ A# Z# @: W
mov ax, 1684h
4 s P( r' p5 g7 ?# `5 Y mov bx, 7a5Fh ; VxD ID of SIWVID4 e9 K; |, T) n. [" z( C
int 2fh5 d- z( `* S- F/ v2 O- {8 R9 f0 R
mov ax, es ; ES:DI -> VxD API entry point
# `) r$ T+ F9 W add ax, di
/ m& G$ V; Z+ X: ~7 u# p test ax,ax7 u$ c; T/ [; B0 R2 h% ]4 N* r
jnz SoftICE_Detected( V( w9 M, y1 \7 ~3 q; m9 |2 B
9 H! G/ |$ a2 D; p3 m7 ^ V
__________________________________________________________________________
' y( P+ @) |+ } d5 m! N& k4 _
) O: \! V5 O+ R! O+ k0 R0 U. t3 i% i0 r$ N% [
Method 05
( _7 b1 e) i3 |=========& V3 U3 t7 l7 G) D3 w$ ^
, N" k7 e& N% p3 s9 A
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 e7 ^- w1 J; _ Q6 v& \/ Z ndebugger. It calls the int 41h, function 4Fh.
& U2 S) `4 z$ u8 c# GThere are several alternatives. ( @( l L7 p3 [1 a9 s
: u3 R5 A% i& c6 z
The following one is the simplest:* H/ `9 t+ z7 l+ Y" n
' U- j r# _2 z mov ax,4fh
) o7 ^ y; u! q* A$ c+ p int 41h
0 n) l7 s t: H% `0 T cmp ax, 0F386
1 J$ j& c1 C7 |: F" ^$ m jz SoftICE_detected* N; q* V* b5 n* o
- _( N5 J0 s* V
# U7 u( @% _; K. Y7 D }Next method as well as the following one are 2 examples from Stone's 1 ?' `0 Q! r7 u" B0 z& U
"stn-wid.zip" (www.cracking.net):
8 _8 Q% {8 E7 v. I1 a$ s. q2 L4 K/ S6 C2 @7 `6 ?
mov bx, cs
0 n0 Y* S. i- O% ` lea dx, int41handler2
- E: W' w- o: \( m! p7 w. I xchg dx, es:[41h*4]
$ ]1 I' J, s6 x4 c8 P# X xchg bx, es:[41h*4+2]. v9 G; Y' v* u" d: C5 {
mov ax,4fh/ @- ]% P+ F! k8 n
int 41h
* P- b% ~9 k. G( w' t1 F4 T xchg dx, es:[41h*4]
7 |8 q2 T4 u3 t% r xchg bx, es:[41h*4+2]
' _! n' ^. D* o, Z- c6 l) F cmp ax, 0f386h
, L Q0 T8 G" g+ ^ jz SoftICE_detected' ~* U* U5 d( e6 l
. T% Z6 j- g, u0 B
int41handler2 PROC
0 T" s6 r6 E# e/ X* i iret, R @% Z" v0 {7 c
int41handler2 ENDP
. w1 X( {6 h) l6 X. [7 v
& h/ A8 G) J3 c) W
! @9 V3 w0 f2 t! A, @_________________________________________________________________________0 z( _4 f; g* t% a% ^8 t$ R
7 n. N; }5 d4 n# s
4 T. t; i8 {. E5 |5 ?) [Method 06( i' R2 m( l d$ }+ ~5 M! X
=========5 H/ P* n! B& `, X; n0 Y# K
- T& |; J" Q0 O+ `$ H2 ?$ n9 d6 p: C& S! w& i
2nd method similar to the preceding one but more difficult to detect:
6 S8 v7 c2 P( Z; ~4 T& p, W1 }6 g$ z
* x( I; ^8 e( R. L8 Kint41handler PROC
1 ^% Z4 i; E7 K1 R i mov cl,al! H8 q3 q4 A& T9 I1 \# X; C( U
iret9 Q f0 {$ u6 p, m# l& Z
int41handler ENDP% u: B( ^/ x7 T/ O
- d3 c$ z3 y5 m0 H) p3 q
% z+ ^8 U# e; z* G' H5 P8 ?3 b xor ax,ax
' u, P2 g7 e+ |/ c4 b mov es,ax6 |8 e4 E# v, ^* F; t
mov bx, cs
) b, p6 H5 R( @, d) n! s0 A! @ lea dx, int41handler5 E% @) I; N* r7 L5 r
xchg dx, es:[41h*4]4 m# I- M$ z) d- H% J% C
xchg bx, es:[41h*4+2], V: j7 \+ {2 M {6 l9 _
in al, 40h
8 t& u# d+ O6 ~# E xor cx,cx
: V2 }9 v) y/ t. B int 41h3 y5 S F5 H! _1 [) M
xchg dx, es:[41h*4]
! |$ o" f9 v" B: a1 |: h/ D2 Q xchg bx, es:[41h*4+2]
$ @' f7 D0 W) a( i- p- y cmp cl,al: z' _( a& J% t( d: z4 g
jnz SoftICE_detected
% G6 T) n w: r1 i! j
: m' ]( j+ O1 R. \_________________________________________________________________________+ C8 s w5 t+ l& K
$ s# H8 ^# A; v) Y( `Method 07
& L+ g: n# o; p+ d2 t=========
" u9 L8 b8 h, f! x4 W
" p, D( `6 n$ w8 ^+ o. G$ X: vMethod of detection of the WinICE handler in the int68h (V86); M/ k8 V, D$ }) K
5 C: r8 J7 T0 H3 v; t0 z3 K
mov ah,43h; M* g9 W8 G! _
int 68h3 [4 }! C, Y+ ^% ]& p' Z
cmp ax,0F386h
! l. b, [/ N% _9 ^7 U jz SoftICE_Detected
) E0 G0 ~# ^( E% m! k6 w! I$ q( } n8 b3 H/ F* Q" _. Z' c8 `6 ]
* x% X, }+ d- s! Y' b4 x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ?# c! l0 {& i7 M: Z; `0 B
app like this:
* H3 T. S2 A& _: }; J2 ~
( h9 D9 G8 y0 K( c BPX exec_int if ax==68( U7 w3 s1 F; Z0 S. L" S8 J# N M" ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 Z: }# m5 \/ E located at [ebp+48h] for 32Bit apps)
5 C+ N* p' R+ Y__________________________________________________________________________
" r8 K3 m1 R& m |" C; L9 W; {/ v9 D% @! ]) q0 n) P8 r) X
8 V4 \$ J5 [0 u: |
Method 08
. l+ Q3 v) T2 C* L=========
" r3 d8 U3 g2 s2 B
: Z3 L# @/ k' a! T- _$ UIt is not a method of detection of SoftICE but a possibility to crash the
* q2 `' a# }( ]% }system by intercepting int 01h and int 03h and redirecting them to another
8 C9 M# P7 c. a# N( H$ a2 Oroutine.
$ }# s7 R5 d8 u& a! N, SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 N8 s) P/ ?2 h' W" G
to the new routine to execute (hangs computer...)
5 r B5 V4 v# x- ^" v0 |9 M: T' I. l5 s* n- K4 f5 `% \7 I
mov ah, 25h
& Z: P0 s# ~2 g7 I mov al, Int_Number (01h or 03h)
3 L5 G$ `, n: q$ `4 d# r mov dx, offset New_Int_Routine
) [9 _3 o' X# I; ^ int 21h
; L# l; \6 {- r( j
5 a. J; W7 h& h% n1 {' n__________________________________________________________________________
+ p3 }) E7 _. M1 H$ x& o9 i% D5 u; B
Method 09* H, F! m6 O/ M6 w ^
=========2 {& Z3 }# I9 ]6 O* M& o
4 @3 Q( X2 t# ^ T# q- v+ o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 Y" h1 U1 u5 Y. j
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ |8 u T/ o. _' Z1 e+ L- {The Get_DDB service is used to determine whether or not a VxD is installed
7 F2 ]1 w, a# h$ r6 `1 E0 |for the specified device and returns a Device Description Block (in ecx) for
7 y- a" [( q7 d& Gthat device if it is installed.
+ X8 g! t2 `( j7 e
" m6 g. P4 X, a( C4 ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" p0 I" T! K; o( R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 d3 N% l% i) j/ Q1 v B- t7 k
VMMCall Get_DDB
+ K0 e2 I4 N8 n0 j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 x; ^5 a; p. `' N
+ [+ P) u3 n3 o! q9 e, b1 s* zNote as well that you can easily detect this method with SoftICE:
) D, `- s3 t8 M6 { bpx Get_DDB if ax==0202 || ax==7a5fh
( }6 u7 x1 [/ h' P# q& z r u% `# t/ _3 ]- E; G
__________________________________________________________________________
' F1 d6 S) F/ B
3 p; q1 z1 A* E1 `; V7 t% N2 hMethod 10 {5 z& @, j: }% Y3 t
=========
6 h, s4 Y b9 Q" L: T. y) i: l6 M5 j6 |$ A ?& L; X, B
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 w3 V5 j0 x B0 l* ~ SoftICE while the option is enable!!4 V( @( i5 h; I! |* {: k% ?; N9 X! p
+ |5 I. w4 e4 J
This trick is very efficient:: l {* z+ O0 Q% g
by checking the Debug Registers, you can detect if SoftICE is loaded! X' q/ a8 t" M- g: ]( ]
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: z/ y. ~8 K. p9 v4 g! w/ |" vthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 [2 {$ N* i8 D/ k; x" Z4 y
value (in ring0 only). Values can be manipulated and or changed as well: p! K# U+ F4 Q4 T
(clearing BPMs for instance)" O+ W7 @+ S) Y$ B
8 g7 o& m8 j7 Q6 L2 {# u w
__________________________________________________________________________
' o0 E4 I8 n4 i7 b7 `2 C$ z( j( k( A4 u
Method 112 W5 c: a9 v# m9 j$ R! N
=========
- R4 u8 w, ?$ x1 S% B \ I; y6 q* u. x' W$ U; a. _1 f
This method is most known as 'MeltICE' because it has been freely distributed
( U& e1 F* I7 ivia www.winfiles.com. However it was first used by NuMega people to allow
9 M7 O8 o: C' U/ FSymbol Loader to check if SoftICE was active or not (the code is located7 I0 x. }" R8 v7 I0 z: t% N5 W
inside nmtrans.dll).
/ ?4 }6 @1 F+ J0 O% g/ }) m( `- n e5 G6 K
The way it works is very simple:; V; y! R: @9 P6 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 x. u6 R: l& C$ ?
WinNT) with the CreateFileA API.$ @# k& o1 V. ^% ~! L; }4 Q
; _, S6 J/ f8 O, W0 u) `8 o/ I
Here is a sample (checking for 'SICE'):
! [; G! J I6 t2 h0 N; S7 {3 a
6 y# V3 u7 b/ dBOOL IsSoftIce95Loaded()
. t8 V% A/ w8 h; F9 Q! F{' u, g7 s; T9 Z4 {- v
HANDLE hFile;
' b+ I. t; p, J1 U% | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ s: V# e& |$ G& B: `! e
FILE_SHARE_READ | FILE_SHARE_WRITE,
) b* m# b- h9 e! y& v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); g- p7 k' x( g% y5 E* M5 U2 D
if( hFile != INVALID_HANDLE_VALUE )
( e9 D, l/ o! C( B {1 C! E! s- M5 A0 G( Q$ |
CloseHandle(hFile);
7 z u' x9 G Q+ |4 Y8 X return TRUE;
c! {4 L* O: W' P% G }1 Z5 ]+ `) ~" O6 V: K0 V7 A
return FALSE;! @2 E+ }# d: z1 A+ O' g/ S n* y8 m
}
! G- D! ~: d, q2 b7 Z8 j# p
) z: \ g; I: l5 ^% j! DAlthough this trick calls the CreateFileA function, don't even expect to be. V4 p$ T5 F+ X: x) t M
able to intercept it by installing a IFS hook: it will not work, no way!% r4 H( w3 H& m0 R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 ~" k- w" Q I# a: i4 i- \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) B. F j6 O1 |) m# K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" w- I }9 M. t; s0 o/ c& T
field.
; [4 p3 c% l5 U6 P& n4 @( m0 QIn fact, its purpose is not to load/unload VxDs but only to send a & i3 I+ I9 _$ A# L3 e4 P5 y7 U( e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' x1 A7 e; a3 _) _$ J4 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: @5 Z" m# q5 K( j' r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( a/ P7 N \2 ^3 j* v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 G. L3 s; i" O( W2 x& T& _6 hits handle to be opened and then, will be detected.* Q' ]. i/ Q" w" B
You can check that simply by hooking Winice.exe control proc entry point; m+ x3 g* }! T9 h# t% Y# H
while running MeltICE.
& }6 T5 T8 `' N6 L( T* l) A) E4 _( s
1 U8 s* \7 @6 m, j' r% d! |! Z
00401067: push 00402025 ; \\.\SICE
: h3 S7 r& b* r: ^8 B. n; Q 0040106C: call CreateFileA0 |$ W3 K6 h) Q7 z; X) E1 O
00401071: cmp eax,-001+ c+ p; p9 z! A( w# t. o3 c1 I
00401074: je 00401091
2 {" w5 ^9 r2 N: I& ]+ N7 I+ [4 N+ n2 w0 @1 w: g3 G
& L6 R. l& E. t7 `& u( U: t9 Z
There could be hundreds of BPX you could use to detect this trick.2 A+ t4 _' z2 D2 z% M; |2 Q
-The most classical one is:& q4 G9 s1 V; } s$ C: E0 M7 Y4 @$ c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) ]8 K9 f2 R5 m5 Z *(esp->4+4)=='NTIC'
& w. d7 Y( B T) S* N& s7 p* `1 i5 \/ w# h+ T. F; T
-The most exotic ones (could be very slooooow :-(
0 ?+ X+ Z+ N+ X# ]! p- j$ z! G' { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. l* H* F2 R3 J5 U ;will break 3 times :-(
: v) t$ D5 E( \. E! B3 d! X# T- a+ ~- x
-or (a bit) faster: 0 S/ u8 s' @4 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; D1 ~3 b5 [7 b4 g' ?- ~6 ?% t6 S# F8 e% O6 _, h0 f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* Q9 z* a! ]9 q1 H% X, Q ;will break 3 times :-(( d4 n' m2 i) T3 l3 Y' I
9 i2 U$ M6 a/ I! ~! F1 \
-Much faster:
* O) W$ i8 j' n/ g" ^/ J' p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ z6 j. G) \" w+ H9 b+ W/ m) E7 J3 L1 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( ]" }7 \& C+ y+ z
function to do the same job:
2 F. \) Y6 @, H* Y# T: R2 N k5 C% s. z( e( M
push 00 ; OF_READ
* h+ x t6 M5 B' d mov eax,[00656634] ; '\\.\SICE',0
' l' ~9 |/ Q6 Y( ~) m" I push eax) z( o% E; x. q
call KERNEL32!_lopen5 |1 i3 B' s' U3 p/ G5 | \
inc eax3 |* F* Y$ l4 o5 z: E
jnz 00650589 ; detected6 k q3 t) l! a# d' [; R2 z
push 00 ; OF_READ
( P7 T! Z, g! u ^8 W+ R) @4 Q mov eax,[00656638] ; '\\.\SICE'
- B1 h1 \8 I9 B/ u2 w push eax
0 o# N+ `5 b( T; R1 X call KERNEL32!_lopen
' q9 s6 S7 Q- L inc eax
' D0 r5 o: D- B3 x, d jz 006505ae ; not detected0 p) d) {% g4 N3 R7 M6 B
3 d, s+ u4 @) V9 b7 p
$ N$ r/ O( ?8 X( T7 k; o) W__________________________________________________________________________3 R/ P y) k: _
6 n0 x N* K0 ?8 X& m
Method 12
/ v8 l0 i0 H# I. z1 m=========6 {1 h4 g" z" O2 d* H
, w% P4 l9 P! l1 T2 _5 {
This trick is similar to int41h/4fh Debugger installation check (code 05
( h% K2 m1 l |" z1 x& g0 H3 q- e& 06) but very limited because it's only available for Win95/98 (not NT)+ I8 h% I. j# m0 q- F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& Z) t& C2 J/ y; y) I
- c. l- O5 s) T0 ?
push 0000004fh ; function 4fh
" |* ^; T v1 H$ ~) D! Y# a push 002a002ah ; high word specifies which VxD (VWIN32)8 u) ]3 o- _! }+ [1 Y
; low word specifies which service
0 y; f, ~ u$ y$ G+ Q (VWIN32_Int41Dispatch)" B) i: I9 K! s3 _* z2 D! G
call Kernel32!ORD_001 ; VxdCall
, o! i" x6 r; ?, d cmp ax, 0f386h ; magic number returned by system debuggers" ~, S5 |3 S/ {3 A
jz SoftICE_detected
; O% c9 n& w2 ~+ E" K4 E) i) W) i! z) [; G7 M; I) ]" Y( _
Here again, several ways to detect it:* S- ^' e& w0 K# x
6 W6 s+ Y1 j# u8 Q' E
BPINT 41 if ax==4f
_( P# I3 }7 U2 f" h M7 ~: Q+ L! A& a8 P d- b2 c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# C8 _$ n9 J, `" p
- ?! H& r3 i' u; t' H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# Q. Q% E* F% S' j4 m9 d
% J6 } r' ]7 F0 X) D+ F# `: K6 [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 d9 P/ g4 l* @* E
8 L8 L' c9 a& K__________________________________________________________________________
/ [! _' `! ?4 |; b! x- V: D
% s3 m6 a, B! P: h5 g& f$ }/ PMethod 13* Z/ X. v( o" k
=========+ K7 e% Y+ F2 Q
4 U4 S5 b- v+ Y) z* r( C+ ZNot a real method of detection, but a good way to know if SoftICE is) N! g& q# |$ O2 U$ L% V
installed on a computer and to locate its installation directory.
2 h4 s0 [! A, |1 F! _5 }7 Q! \" hIt is used by few softs which access the following registry keys (usually #2) :5 T& a( P9 a2 c/ p
: h' u8 p6 [8 e- ?! B! k! `7 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 r, `+ e* h6 z; ~7 z; w+ h0 w# F
\Uninstall\SoftICE7 R" q9 }2 u% k, X: w& p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% B8 _: m6 b) H( t W$ K; m! Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( I0 a) C6 M+ s& J
\App Paths\Loader32.Exe
. w" S+ e* _& A2 Q$ n0 H2 ^! Y; e7 i8 r5 e( |: {) Q7 P4 c/ W
$ ~" \& b6 w+ w7 t( I G
Note that some nasty apps could then erase all files from SoftICE directory
- ?' Y( o9 P/ p- q4 w& A/ s8 `& Y k(I faced that once :-(9 X5 l5 n1 R' w q. j9 W; [3 V
( P! b4 }" J" B N4 ?; DUseful breakpoint to detect it:
: V( m& \( S6 I9 T
|/ u! i [4 M+ j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ u. c% n8 j% [' G0 A5 }" q( Y
9 V. G+ y. p8 _. M4 X
__________________________________________________________________________
* a5 |2 R' y/ e9 P# g! p: v( q/ T+ O$ f" Z" [
7 t" K) X) M& z4 \. Z1 `$ hMethod 14 9 H7 c3 o$ t5 Z6 y9 z9 L
=========
/ F& f! j0 Z# [; S; E: h
- d# L1 G# D. O _/ E7 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" ]( x! ~) v; P) c: his to determines whether a debugger is running on your system (ring0 only).! a5 a5 F6 A) D; ]
2 B3 L v; k) n/ L6 T! w$ D. }9 v- t: A VMMCall Test_Debug_Installed
8 G( J$ ^4 t& c6 G- t8 ^1 N je not_installed) v% O: b U( w
, A$ c/ z" \# Z1 I/ |This service just checks a flag.# |" e+ w6 V6 M0 m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡