<TABLE width=500>: ?- ~; A" g$ b2 I2 H
<TBODY>
: V+ c0 W% O: m% Y) m3 A<TR>
) {3 x0 C0 I: S9 g: S) n7 K, v6 j: W6 E<TD><PRE>Method 01 2 T" t$ G0 e$ p) e5 U# h
=========1 q2 u' J# w5 r9 k
8 N4 u' ]& |7 I7 jThis method of detection of SoftICE (as well as the following one) is
2 ]) f! J: F! p* |8 \4 sused by the majority of packers/encryptors found on Internet.
( ]; V" `3 l. F/ ^It seeks the signature of BoundsChecker in SoftICE
\: Y0 ?3 x/ L' r2 k- F
* Z$ ^! p- [2 F1 y! V. V. Z1 s/ ] mov ebp, 04243484Bh ; 'BCHK'$ Z9 w0 h' D2 J4 |
mov ax, 04h# a4 }7 t( N! q S
int 3
S5 X" C. P( L! b cmp al,4
& a4 ^* R! R4 c7 [: `$ d: V7 H jnz SoftICE_Detected G$ @: P0 V2 H6 b3 M9 t6 P; @" l
& ~) I5 K9 z4 x5 R. V; {
___________________________________________________________________________8 k* w3 V- A$ Y5 C5 ]
}4 |6 ^3 v5 x7 ^, R A+ r/ i: _
Method 02% _3 o- L, i8 u$ W6 ~$ }; L% o5 b
=========" Q# [) r- a6 ^/ K# D
1 U# r& m4 L0 p' L6 a4 R
Still a method very much used (perhaps the most frequent one). It is used
5 Q" h2 w7 F3 T/ Q" sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
X: v8 U+ L$ p0 q4 w0 Sor execute SoftICE commands...
* s2 @+ v* X6 T& N% I# d/ wIt is also used to crash SoftICE and to force it to execute any commands
6 f5 }( A. O; P2 p1 `4 w1 @- S b(HBOOT...) :-((
! ?& I" ^% |! K v9 k6 w
( O: ^3 T+ w8 i, W# I& Y. WHere is a quick description:
. ~& h. c3 Z# X8 @" j; |0 X5 @-AX = 0910h (Display string in SIce windows)7 {- F8 j/ ]3 S, c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- t5 [ d* C, U& G1 j J-AX = 0912h (Get breakpoint infos)
: ~- F- R( ]7 u2 c; B6 y6 r0 T-AX = 0913h (Set Sice breakpoints)
) O- {- z. @( Y2 U-AX = 0914h (Remove SIce breakoints)0 ^$ I" ^: e- o6 Z0 f+ H1 R
3 q3 o5 Q6 s. Y/ X7 I8 F7 bEach time you'll meet this trick, you'll see:" S x5 {# Y3 C
-SI = 4647h
5 |. V0 g# X3 Q-DI = 4A4Dh* }9 Y2 p, ] Z& ?- d" s
Which are the 'magic values' used by SoftIce.1 J; R ]; v: R1 o9 R: Y$ G& J7 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( H5 V/ J. W; Q
+ C. v$ ~2 G- Z0 w* i. dHere is one example from the file "Haspinst.exe" which is the dongle HASP
; a9 C. g5 o9 M1 m) oEnvelope utility use to protect DOS applications:2 ^4 [2 z8 Y! @1 G8 n, k! T0 ?
- o# Z* u" N, O
2 W% v" r5 t5 h0 N4C19:0095 MOV AX,0911 ; execute command.' ^# {# s+ z' L% p/ n/ M' i" w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% G+ Y+ l5 d3 k4C19:009A MOV SI,4647 ; 1st magic value.* O- H* c8 `7 W1 e7 l' |
4C19:009D MOV DI,4A4D ; 2nd magic value.7 N4 X4 K" y% s3 P3 l2 ]* q0 R; m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 p+ U. D, g; n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 }# R/ k; x! P4C19:00A4 INC CX
# C2 W1 a+ b' J! [& Q5 F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* U P; ? p3 N' W1 r- q
4C19:00A8 JB 0095 ; 6 different commands.
' w5 v0 P) i# Q X: Z1 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 B2 k+ ^& U2 Z9 R$ L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ P2 Y. f5 Z2 c
& x3 A# R; V! w+ @- KThe program will execute 6 different SIce commands located at ds:dx, which) E7 ~% P, j' {0 U- f% S3 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* P" @) `. B& |; v. q+ j% U, Z
0 P3 c4 y4 D. }& ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 y. p6 N6 P! H
___________________________________________________________________________' M% h6 e% A( e/ g" H `1 i
( T1 Y6 o4 }* |" b) o% ^, V
% d7 k0 x# |5 b1 B( kMethod 03- M( q$ e8 L3 U: \4 I
========= ~9 D# Q: r+ N5 e# y2 s
$ B" n3 O2 }- \9 ]' W8 O# B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! g) a8 W+ m4 s4 ^8 k(API Get entry point)
) J% C" \1 x1 ?4 W- F- O & u# O$ ?% ^' i! [& Z# q. n2 c% N
: {9 Y4 k+ V. U. z4 I( V( U
xor di,di
$ O8 K0 q) l) i( D. q4 k( k mov es,di/ c7 H% i5 b+ H3 u
mov ax, 1684h
8 W% t: S, C5 o: v mov bx, 0202h ; VxD ID of winice
" B* N) g+ b; c2 Y- ]! L int 2Fh
, ~ k+ F0 B# o$ Y: S) t mov ax, es ; ES:DI -> VxD API entry point+ c; `2 J) B- [5 z% j
add ax, di* e* o7 t; e' B) Q+ y
test ax,ax, A# E- k# f; K4 q1 M$ N# a
jnz SoftICE_Detected8 K# v4 t/ u4 t$ v5 S, N( H& b! ^! o
7 R+ F. S5 @% S% I___________________________________________________________________________
' A( O: m0 ?3 z; h6 d6 N9 B2 F- g. m, o
Method 04
# d* s0 y) C" m* T, w l2 N" C=========
% \" S( _, u* g+ Q( g/ |5 I) {* D: |& H4 s3 p
Method identical to the preceding one except that it seeks the ID of SoftICE
% T- Q+ B8 v0 `8 i7 b2 n% dGFX VxD.
^4 M; G7 C1 h+ N+ E0 B8 [* \ C" I: d& ~7 e4 H
xor di,di
: `2 b g7 F: E O mov es,di1 ?- n7 g; o7 V1 K/ j# U8 o
mov ax, 1684h
4 ]( {& x4 G, g mov bx, 7a5Fh ; VxD ID of SIWVID
3 a2 H5 t4 L/ {; X$ B7 `4 I int 2fh
& N% y4 V8 c" h+ a j9 z# H mov ax, es ; ES:DI -> VxD API entry point
. ^, @: W1 T! k* B- z" }, l add ax, di& q% [0 x/ S( {: ~( L' z% H
test ax,ax
* {, p2 a4 n/ c jnz SoftICE_Detected3 o$ R: e7 D6 ]2 G
0 @3 d9 Y: @7 F" E
__________________________________________________________________________# Z l3 Y5 h( e6 D, }# r
7 T4 S# [/ S6 R/ T9 p
% k- o3 M3 k4 h
Method 056 l* ~7 r' Z5 M& v% C; l
=========7 q6 L& `4 ?" u" ]6 j- t
! v; Q, o* N0 u1 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system! r5 M! D: ^% A! ^: R8 T9 ^
debugger. It calls the int 41h, function 4Fh.5 [% X6 o) o7 f
There are several alternatives. 0 ]$ x" e7 r: c) a' N$ {
- E" ]' X& W1 |% n. O+ Z3 [
The following one is the simplest:
" V7 M+ n, Y! ?& ^; L7 |/ t$ n1 t; o+ F/ q0 B- s
mov ax,4fh
5 v" ]" a, w5 a0 Y+ I int 41h
/ _( O5 Q* ~' b P0 f cmp ax, 0F386
* P7 }, H6 P7 @ jz SoftICE_detected% W& x; }* I' m0 Q6 k. K9 ?
4 F7 v) {0 `. R) i" {2 r
5 x1 B7 k, |# R+ {Next method as well as the following one are 2 examples from Stone's
" K" m! [- E! e7 i# X" t: |8 H. l( O# q"stn-wid.zip" (www.cracking.net):
* S8 C f$ E0 G) }( q( J t5 l& e" M& `! s3 j, B: Q
mov bx, cs0 p) q0 M2 T2 B) w6 X
lea dx, int41handler2
. R# o/ q7 \" |; |0 n0 { xchg dx, es:[41h*4]
! L% a7 m+ o! F7 w& V4 T xchg bx, es:[41h*4+2]
( a+ R" D' \4 N) D) s# H mov ax,4fh
( u8 S& U- P" @; k0 p int 41h
1 L# H3 W$ O: @5 ~ xchg dx, es:[41h*4]% v5 D* n9 M5 P4 [% _
xchg bx, es:[41h*4+2]2 \1 O0 B* Q( [# y3 Z! p/ }
cmp ax, 0f386h
3 v+ S. G- [2 T jz SoftICE_detected A/ q9 q4 @. d8 k' A3 j
5 I! O. V; S! [7 G3 s0 X+ @int41handler2 PROC
- n8 Y4 v* g% N$ w0 V; l( U iret
" T# m1 `0 D; h3 \: rint41handler2 ENDP
6 I% J$ ^6 e0 {/ ~0 q! _, p0 m! {$ `! h% X3 ]8 A! T
5 M+ m, o c9 ]0 a) W6 p& L9 h_________________________________________________________________________
! N! G% }$ O0 O
3 n2 w% }: x o/ U+ m% k _/ ^+ y e) |' j( n( z
Method 060 C; M7 F+ b. T/ h0 P& o
=========
0 {' u2 ]* Q6 R* ^/ @3 t/ K7 v- c/ ~, r( R& w
, c$ a9 ]9 q) |. e0 X! |& X! W2nd method similar to the preceding one but more difficult to detect:: _3 U v& }6 L# _/ n* s; m; _; n6 N
7 k5 A+ o4 C% c4 W
9 ^! Y- I6 a% Jint41handler PROC6 ^ ?+ y) a# D0 Q6 `
mov cl,al' E1 D6 I9 _5 `2 {; y
iret* S; C( P. U3 q; t0 L2 p B& ^
int41handler ENDP/ i( R! q/ O+ Y* p5 O# w( E" |) C
" i1 K' x+ w- K& A; }
K! y) Y1 E% u; [ xor ax,ax! B* M9 k7 \4 K7 n' @ c7 N. k* D
mov es,ax2 D) d6 u, w/ Q0 a) i7 @
mov bx, cs
: ?6 U( a# W7 w1 Z6 Q8 Z lea dx, int41handler
" v7 {) n' A3 p1 ]3 T4 m xchg dx, es:[41h*4]
' ~2 _+ k4 k" Z( I5 q xchg bx, es:[41h*4+2]- ] N$ B, i! o. L f1 k
in al, 40h5 U# A0 x/ Q1 T/ @3 j; P
xor cx,cx% [" A1 j: I+ b
int 41h) z6 v3 V, P8 D7 v' z" `+ y9 S
xchg dx, es:[41h*4]# `) c, I) s& y' [, o, D
xchg bx, es:[41h*4+2] P( |% Z8 L" v, c( D$ ^
cmp cl,al
' m# X% A6 f7 z. Z) s5 q R jnz SoftICE_detected
1 M5 A& Q. o+ b
; i8 @7 }( Z3 E9 N0 J: f_________________________________________________________________________
% F, F0 F- \( [& ] s9 w) N2 `& ]1 v [0 V: H* ?
Method 07: |: o( N3 k+ b- g; D* {
=========. ?* P0 N: N3 Y
X) z' e; z; p7 @8 G" Z0 wMethod of detection of the WinICE handler in the int68h (V86)
7 G0 U$ T. v/ m! m
4 m8 ^- _7 }. u& Z: x5 ` mov ah,43h# p2 ^( f8 p2 V* o; U' l9 ?" F, Z
int 68h7 ~0 v, Q: v# @# _, |
cmp ax,0F386h
/ D( X2 `1 W' H! c* k7 h6 x5 `; T# L- M jz SoftICE_Detected
- E; i4 j; D) O" ]+ F
, i, O8 z" t: Z( d( A* b/ s
# b+ f1 \8 v2 |7 `3 }+ r7 ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: j5 m5 h( H1 U. t8 [4 N
app like this:
7 b8 E2 h6 m. y9 d# C! L1 K' U8 T- Q; q5 z
BPX exec_int if ax==68
$ D& y: i1 @! S) y8 M* _) B (function called is located at byte ptr [ebp+1Dh] and client eip is" M: x* m" X* r4 u$ A3 I
located at [ebp+48h] for 32Bit apps)9 j/ v, Q& n# W5 {+ G
__________________________________________________________________________
0 y* F/ y7 G0 H, m+ l2 T9 V6 D
8 C# {' H: O3 y# {. v6 ? p& ?* \5 @9 \: P
Method 089 D$ l* G7 D8 T5 h
=========" D! Q$ I0 _' P! S, D O
: x6 U; p' d! \6 S
It is not a method of detection of SoftICE but a possibility to crash the: ?& ~$ G( l' y" c" D
system by intercepting int 01h and int 03h and redirecting them to another
$ S' W6 S3 E+ c! }, croutine.
% B* B0 e1 V" Q* S jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 [2 P0 w# ?1 {/ ito the new routine to execute (hangs computer...)
" i3 M, W0 N4 O6 y; d6 K) ~7 f. Z' A& @. f E3 @$ V
mov ah, 25h' K9 W8 b# ~ B
mov al, Int_Number (01h or 03h)3 e+ X$ _! K) d8 d' H
mov dx, offset New_Int_Routine
& }) n' E3 S4 J int 21h
8 @% I- X- i+ n/ D9 L7 \' q( M8 o, x. a- d
__________________________________________________________________________) @% H) a* a6 N5 H& P8 M; S
0 v" v2 p3 y5 U5 n9 o4 kMethod 09
- L4 q& q7 z" Z; B* e=========
8 N3 D4 q7 k' k. B+ G
4 D4 m7 @ |( T1 D+ XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ M) q* R0 M# M- z5 c9 mperformed in ring0 (VxD or a ring3 app using the VxdCall).7 B. F M R$ |9 t- M
The Get_DDB service is used to determine whether or not a VxD is installed9 r: [2 V3 l" O* [
for the specified device and returns a Device Description Block (in ecx) for" K3 l8 n* t# m: e
that device if it is installed.
: N' Q& K6 H9 Y% f/ |
; G% J8 r8 `1 x8 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- j/ j; u% P, o% `! y! A7 }7 [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 @1 N8 n8 F, u
VMMCall Get_DDB7 E z1 {" X2 S; U( b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, o9 Q& k5 m; {' E) `9 T
* H0 o! f# S7 F. A* f
Note as well that you can easily detect this method with SoftICE:
) b' V, D( [+ Q( Y% H/ r$ V bpx Get_DDB if ax==0202 || ax==7a5fh
' ~+ O- d5 M' p E# |" d& {) u$ c: f( o
__________________________________________________________________________# h8 o6 h) S* }) d) X, k6 t
% l/ S/ e8 Y4 \9 k* C0 v1 n/ i& xMethod 10 x# r- {1 ^, K9 ~, g
=========* Q" r4 p; K" l' C8 |! `( D9 Z
% c* {* Q* }% l( p
=>Disable or clear breakpoints before using this feature. DO NOT trace with! y# A# C2 D9 v- j. F* {
SoftICE while the option is enable!!
( O" x* d2 N! Q# l
- k( Z9 x- p$ }! L* a1 r: a0 R: hThis trick is very efficient:
3 S( Z" y3 e5 u1 y0 _7 ^by checking the Debug Registers, you can detect if SoftICE is loaded; Y. k2 e) I' m' A9 H6 [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- v1 n0 S$ k/ N2 W4 s8 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their# F+ \( P1 ~- V, t
value (in ring0 only). Values can be manipulated and or changed as well
9 N) ?$ X) [/ h& c8 V6 B( w. Z(clearing BPMs for instance)) }. K' D# `* x- U% i% z
! E* l# G) u+ n# C* ~__________________________________________________________________________
( q7 a" j5 [# H0 ]) w6 q0 d$ [8 M7 W' ^4 Z+ \- {9 m6 X
Method 11" X* T4 C S0 ]) R
=========. p% X; v9 u1 [/ C: Y8 t: P
U) z: o7 q0 G. c5 b# PThis method is most known as 'MeltICE' because it has been freely distributed# z" _. u/ S [9 h! Z
via www.winfiles.com. However it was first used by NuMega people to allow
! H$ O& x' s6 x2 {& fSymbol Loader to check if SoftICE was active or not (the code is located; p/ b1 j; O& T
inside nmtrans.dll).
2 w( Y% F0 _0 Z2 G) y9 T
1 T9 [- l% q1 Y% Q$ f( XThe way it works is very simple:3 b9 l. s" X' d. y6 ]2 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& a+ s) `: n! f+ ~! ]( ]% }
WinNT) with the CreateFileA API.
/ R* ~$ E- i! g& q
3 T+ ~- e- ^% u( GHere is a sample (checking for 'SICE'):& h2 y; X" u; i$ `. v% D
) C6 L* }$ o- a3 e6 mBOOL IsSoftIce95Loaded()
. a* |8 D* F3 B$ L$ \) t{
4 k0 k: w! r" L1 n+ U HANDLE hFile;
; m4 A$ Z4 Y, n4 C8 m* {- d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 Q, e( t' k1 A7 Z FILE_SHARE_READ | FILE_SHARE_WRITE,
7 `/ c! m) c, [/ `, ~ B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# m# f0 A4 r, ?* H% Z" p if( hFile != INVALID_HANDLE_VALUE )
- u+ }. J& m2 k1 l) W5 B {
& h# e- l3 G9 t+ x4 j: b CloseHandle(hFile);
( { i4 ?7 @3 s/ s: v& P4 J return TRUE;( Y; |( {; m3 d' M; c
}! C: W# O7 d1 T* q* S5 Z6 A8 e% y
return FALSE;
! B2 B, b' E# N. A) c& ?}0 _: F! \% i) y
# Z; k& y! Z1 [) q% NAlthough this trick calls the CreateFileA function, don't even expect to be
) C) w4 U6 ~6 K3 vable to intercept it by installing a IFS hook: it will not work, no way!/ X6 W) |& d7 A9 r9 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' F/ j1 e& [5 q9 ]8 c( E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& {& \" W; V+ Y3 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; u0 X. Q% m+ W# b; M1 B V( ]* vfield.
* ~, B% ]* j& t3 C6 YIn fact, its purpose is not to load/unload VxDs but only to send a 9 q& j4 m j8 U: v' v$ i; |' X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. r8 K4 n1 u! {) N* `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 [( b: `7 l* {1 D W& d- Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 p# s0 ]2 T, s8 | \If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ m. }9 s8 r( V% O) ]its handle to be opened and then, will be detected.' r4 ~- U5 ]# i: w7 ?' X. x
You can check that simply by hooking Winice.exe control proc entry point
, Y! Y$ {! C; ]- V/ Q; ~while running MeltICE.+ z* \$ i* c) W+ B% O- K" J2 l
1 [% \* O2 r' \ i; [' G
8 W( @/ M' k" v+ R3 o6 d7 e d" ] 00401067: push 00402025 ; \\.\SICE
5 Z& z! X, z( D0 ~ S; d# g 0040106C: call CreateFileA, W0 O3 S/ [- b" f& J$ U5 G' _1 G
00401071: cmp eax,-001
! x4 J" c$ u6 d V$ v 00401074: je 00401091( _7 o% @8 R; B$ e. \0 p
- U- c" L! ?" ]' |
, j# \* C" B( n5 v hThere could be hundreds of BPX you could use to detect this trick.
* B! W0 q5 p, G+ v% t. v- @9 N) e-The most classical one is:
6 L1 f0 L3 i! F! c2 @. D! H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* j, ~: K3 D+ X& |5 m5 [, i *(esp->4+4)=='NTIC'1 R$ [# Z" w9 A* M- j2 k
2 [" ?/ \* y- E( `. \9 E
-The most exotic ones (could be very slooooow :-(# s. J8 j$ g3 w, K2 X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / h8 e& I% Q2 K* j
;will break 3 times :-(* T3 ^9 a6 ^( y: j$ e/ y
% B- k7 }; O, |1 P# v1 E-or (a bit) faster:
) d9 C( f1 |; y/ Y' s BPINT 30 if (*edi=='SICE' || *edi=='SIWV') U1 l* n! E- `) P( w R# V/ s V3 s
7 _1 ?# S8 \4 o- i# q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! H+ Q% B2 u; p/ P' Q# k ;will break 3 times :-(
$ e6 w( L; c2 E0 P' e4 }; J8 ^' M: C+ g( j0 v8 [$ a- E
-Much faster:
. O& e E6 @5 i! }" L8 i0 S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 q$ O* c, D% j# k* U }# l& b0 b. i
4 y2 G5 E3 e* P- M, A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ `6 X; T: r9 |: }2 v2 V; a
function to do the same job:0 t! |, S" f; P$ T* l
7 B7 d3 {5 @# ]1 f5 X1 c push 00 ; OF_READ+ F* w0 y, o2 J" N& j; j& K
mov eax,[00656634] ; '\\.\SICE',0
4 O, A% n/ H" R1 }% D$ B push eax" J$ v2 B, k3 e" t7 S
call KERNEL32!_lopen
. w/ K6 F( Z% Y' m- f' b inc eax
7 S: J6 R5 B# q' x+ a jnz 00650589 ; detected% }" S) J* ^! _& ]9 \+ n
push 00 ; OF_READ8 |% U$ J( v$ }6 y; l; D# N
mov eax,[00656638] ; '\\.\SICE'1 y) S9 Z' n1 j$ m( W
push eax
0 h* @9 Z( j0 ?( K9 z; |; n, F call KERNEL32!_lopen
" B# |8 ]: e" o4 {$ n, ? inc eax6 p4 b3 E& x& |9 t, W+ r3 ? w5 T
jz 006505ae ; not detected# p+ P+ h6 Z/ r* Q- L
( q3 K9 l! [ T- ]- x0 v
# g% H3 J; B$ s' U& C, n__________________________________________________________________________
# y* f2 f5 ]/ a- I& v: b4 ^# Q7 i/ Y# {5 X8 H
Method 12
' [4 N( b; }5 |2 O I; [% J0 G2 E$ M=========& M5 ]) ~+ t: f1 U1 ]5 N8 X6 P
8 f% I r$ c" T2 j" lThis trick is similar to int41h/4fh Debugger installation check (code 05
% S( ?5 L6 R) Y4 u# R1 y$ C+ S4 N& 06) but very limited because it's only available for Win95/98 (not NT). K3 ?: M4 D2 x& P' T4 R7 f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. P+ E- `# J2 r) \, f# Z Y, D& o3 {; ~4 ?5 r( @# f7 o0 }9 X
push 0000004fh ; function 4fh5 |" g' i8 f2 r. p" E1 [
push 002a002ah ; high word specifies which VxD (VWIN32)
& f' }% h" {7 ?4 a4 x3 F( j* n ; low word specifies which service& R1 g: t0 }" {. u$ L: s
(VWIN32_Int41Dispatch)$ l8 }5 V( H( W; y9 R# w, ^
call Kernel32!ORD_001 ; VxdCall( e9 H8 h4 }( j; O: W% D Q' N4 g
cmp ax, 0f386h ; magic number returned by system debuggers
9 H2 o$ N# @4 E# J7 M jz SoftICE_detected
8 g6 s; n/ Y2 x8 V) G" X) y
, Y3 C& I" |) X2 uHere again, several ways to detect it:
5 e# z! u: c$ T$ G" H1 {/ u4 f8 N
BPINT 41 if ax==4f
4 b/ u8 E5 H9 R: n: A: v% a3 k
1 V- S1 n% [. n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ D6 }/ [, F" Y# k: I
( ?' g0 q3 R) p. f7 l. j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- z% _8 ^/ j. G& L, s6 m) u3 `, e _- ?7 g, H' [; D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- [6 ^. }4 X# s* _ L, {+ C$ |+ Q) K+ n6 t! [8 T5 Z- ]) f
__________________________________________________________________________( L1 j+ W) Q* v* j& i0 s2 m8 W
) ^: i/ o* l$ f7 E1 MMethod 13
& G# }9 q2 x3 V; ^=========3 t, _. q5 M$ i
+ K+ R: y% Z; |1 s: w# xNot a real method of detection, but a good way to know if SoftICE is, o5 X, ~6 Z8 W5 j5 e1 D) _
installed on a computer and to locate its installation directory.& l r5 p" I1 b3 O3 E0 n" C- @
It is used by few softs which access the following registry keys (usually #2) :
' w2 Y; g" I; L' c* a" `; R# e6 G7 Z0 x$ `" z" N2 S0 u) e! b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 |9 m. u2 r+ ?' o* o$ u
\Uninstall\SoftICE6 Z1 [: W, Y; }* u; [" I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 M9 `- D7 v/ x$ G3 y! @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# t9 U: K9 W( ^0 Z" ?
\App Paths\Loader32.Exe/ J. ^! O+ x% B, ?8 C5 j
; y6 K% K2 O6 E2 d, D, ^3 G% S# T; b/ Z0 j5 {! o/ Z4 F
Note that some nasty apps could then erase all files from SoftICE directory
2 @* ]1 o0 [5 A(I faced that once :-(
- S2 p8 Y: _$ d5 n: q5 b& m: z- T7 {+ ?, n/ I
Useful breakpoint to detect it:! D, |" T8 g2 [" x `/ g5 k
& o9 K9 q ^7 m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 s% l9 b# W* D, K
7 v- t2 ?* |6 T9 W3 O2 V0 X9 x" @
__________________________________________________________________________
& u0 B) r; `) d* y
; f$ q% ?0 K1 s" s6 V; N u0 M; R `$ Q( ~! }# p D
Method 14
3 I4 F9 P5 E/ _$ K, H3 p9 ^=========+ t5 ~- m. K p% Q6 b" l' p3 V/ B
' k% Z( f8 Z7 r; P" @5 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- }1 D/ O" h$ o0 E! T+ o( A
is to determines whether a debugger is running on your system (ring0 only).+ X% t% h3 |! E: p. U) K
9 r+ E5 D; e+ N VMMCall Test_Debug_Installed, Y6 [2 f& R: D; J% x v# _3 O( N
je not_installed
; P, p7 l3 S5 d6 x4 [* A$ o$ S! j
! N; S/ K! Y+ Y4 ?+ e4 kThis service just checks a flag.5 ~8 Z6 o: C9 ^1 ~* V3 b7 H: h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡