<TABLE width=500>
5 ]8 _2 W7 l3 y' |* c$ G" O<TBODY>
0 m2 B2 s- ~" N% {<TR>5 x* z8 S, W8 F- H. h8 x
<TD><PRE>Method 01
d0 q; M G' V9 g' {% z! E7 e& a=========
. K3 k+ ~7 O" q+ c6 H/ Y
O! ?$ N7 @- J5 D1 ^ eThis method of detection of SoftICE (as well as the following one) is
$ e. H8 r+ _) w6 J& K, N8 y* y1 Hused by the majority of packers/encryptors found on Internet.: m Z# O& q% f) p
It seeks the signature of BoundsChecker in SoftICE
8 f- T) J5 f8 ]: \! {
% }$ Y3 r7 I: M4 w! [/ Y mov ebp, 04243484Bh ; 'BCHK'
' c& [- a: O# j2 O mov ax, 04h7 ~1 \/ |2 |' b' p
int 3 1 o4 b0 g5 m# d- I) K' A% k: {
cmp al,4( g* Z0 R4 G- x
jnz SoftICE_Detected
0 g& l# A( K: E! N" \6 j" P4 C* h+ T' ~7 {$ F7 w" s
___________________________________________________________________________( I: g: u- i7 M. k( P
" d0 e' w' Q9 N" O: N6 x) B7 G
Method 02
* I: }# n& `" J; \% r4 {# j=========, u9 @7 E5 k4 M2 R5 f
+ ]+ ]3 ?# w% n% K$ h# F% D" qStill a method very much used (perhaps the most frequent one). It is used8 w+ P' ?) E+ ~0 u" H2 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ a1 z2 w3 d: A1 Kor execute SoftICE commands...
* w& ?, b7 p- W. H: yIt is also used to crash SoftICE and to force it to execute any commands0 F6 S) n$ s+ x) ~ c. F
(HBOOT...) :-((
" x+ u% S0 U. F- l% \) S, g, C/ o/ x8 b: f/ L: u3 h: @3 K Z
Here is a quick description:
$ V& l" b# s) S( I8 \7 X-AX = 0910h (Display string in SIce windows)" H: N1 U' y5 O2 S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! N( O# P) c, E6 ?$ T
-AX = 0912h (Get breakpoint infos)
0 n( m! f$ j. ]+ Y r9 e-AX = 0913h (Set Sice breakpoints)9 J) g. K; h& D6 [, F1 U
-AX = 0914h (Remove SIce breakoints)
) e6 F1 y9 H7 }; \- G) o3 m" u1 Q' `4 a5 s2 w
Each time you'll meet this trick, you'll see:
! `9 h5 v6 U5 f. q1 }8 v-SI = 4647h( O9 u5 q8 H3 y& r' H
-DI = 4A4Dh
3 |: F: o' ?. \# {5 `% Q) n0 XWhich are the 'magic values' used by SoftIce.
/ b* n: E2 N' G+ u4 t& r7 S1 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 @5 y1 {; `5 C, C- N; M' D) c# X2 r) z7 N. q4 _' r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 \& G4 c9 w/ mEnvelope utility use to protect DOS applications:
- K1 S$ H+ W9 a( ?
4 A7 v. f8 {. N
: W8 H& S8 s- V* q4C19:0095 MOV AX,0911 ; execute command. y* a/ Z% h% q' T9 r0 r m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 i) [ q8 G4 x+ K! S( S
4C19:009A MOV SI,4647 ; 1st magic value.
! P' M! O! }' H* B& n% M4C19:009D MOV DI,4A4D ; 2nd magic value.
5 g! |7 s4 n+ z$ F4 K/ p" {4 i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ K5 X6 ?, z+ Y5 d" V/ Q! c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 b8 P' R2 v6 q" r5 N4C19:00A4 INC CX
, B4 p+ J/ S$ j! M! R, g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 x5 h$ P- }6 c! l
4C19:00A8 JB 0095 ; 6 different commands.
( Y& y6 r/ G. W$ \8 r9 ~1 h6 Q1 e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" y! |- V# K$ o0 i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# S o$ E, |& [9 S! s/ t. E/ @2 v) C1 E
The program will execute 6 different SIce commands located at ds:dx, which4 z+ x" S4 L7 H# {. u3 s2 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% ~/ K |3 d% z- U9 P$ c# Z1 _% Z" W% K+ Y" K3 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: S+ d, _9 D+ G8 E$ t5 O! J6 f
___________________________________________________________________________$ u$ }; @% j/ Q2 V+ |9 C) q7 {! H
[% W, ?. ^+ F/ Z" a' v G# P1 o7 ^ T
Method 034 C. d# e3 ?; M
=========
% \$ t( I. U3 M ~* ]
' t9 Z- Z: ]: wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; [' I$ X6 }. V, Z) n. \& N, l* k, [
(API Get entry point)
# c( G# z0 Y$ _0 ^. A! ]& o0 I
+ [6 I8 i/ q5 a/ `- R8 Y* L8 q# P3 z# O* U) n
xor di,di
) M7 [' K# o: q6 x( Y# @ mov es,di
8 ~1 V! G: L# a2 c( t0 @ mov ax, 1684h # T2 ^6 C/ p0 a
mov bx, 0202h ; VxD ID of winice
; P$ \, e+ d6 ~, ? int 2Fh
8 r6 }% Q3 k2 Q2 ^; u mov ax, es ; ES:DI -> VxD API entry point/ i# Z+ l3 O, B- ^) ^8 B
add ax, di, T p1 V2 J# R: @+ y$ P0 l
test ax,ax
! W& ?+ Q' v5 J* V/ m3 m: a6 I jnz SoftICE_Detected0 A3 u u' L" u+ R
1 M3 {6 s5 `8 B% O4 y___________________________________________________________________________
, G( \- y* o: H. k5 t7 o2 p
7 _# h w P" P3 s* B0 pMethod 046 G) O z4 r# b
=========
2 k% f3 B5 B5 l6 S% x/ R8 ^( K; r$ w: P$ e5 a" I$ H- }
Method identical to the preceding one except that it seeks the ID of SoftICE
0 ^7 b7 \+ E* Z; `- sGFX VxD.
1 U) ~' }7 P* r5 ?4 W4 y; b8 {& f9 O
xor di,di5 K5 D3 ?; w- j# X! y$ c. U* _
mov es,di! B% s; J$ \& `/ G, |' o& P B
mov ax, 1684h # O9 x- u) O, k3 X- d7 o
mov bx, 7a5Fh ; VxD ID of SIWVID
$ s2 r7 M# D% t4 u$ }4 a5 q" z1 e int 2fh
7 z0 `; {; L* V# g4 A mov ax, es ; ES:DI -> VxD API entry point4 X2 n! j1 L6 C# G7 p& x3 {
add ax, di
# g u" G! X$ |4 a# S9 e7 I, ]8 u3 s test ax,ax
, @+ N1 i$ o. O jnz SoftICE_Detected
# J1 r0 o' t2 A& a0 |2 a
% o+ |$ h7 m! I2 C__________________________________________________________________________
5 W9 ] G; g$ I8 m& q
! B9 @/ c- P( I6 O; {0 a
2 y5 |- x% f$ p2 `, YMethod 05
, {6 I" \) _- f* g/ K V' S6 Y; r=========/ G# p% e0 u! r+ y; \
8 |* n& H+ l2 e4 _; M3 @: `
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& M$ N/ I. `/ H0 Q5 O* ]5 u7 hdebugger. It calls the int 41h, function 4Fh.
- K A" A* t% V+ \% RThere are several alternatives. , Q" p& X N* ~ {
9 ^/ @4 f# `) g+ \% S
The following one is the simplest:
* b4 C* z" c0 h5 [
0 X8 B8 _6 v7 }/ h/ `' {& v mov ax,4fh. `+ I1 e0 @% C% B
int 41h
5 a# G# U) h) r* A- j+ C cmp ax, 0F386) n4 @* w. v c, ~# |
jz SoftICE_detected0 N& C& P8 x, D: q' G
1 Z- Y; ^0 j# A) U" W2 r
* W0 ?$ h7 ]- @" r
Next method as well as the following one are 2 examples from Stone's : R& S2 o! g' w v7 T8 Q
"stn-wid.zip" (www.cracking.net):
. g" N5 M# P, I0 h2 n. X, B
+ ?4 d/ D b5 S' q7 ]3 U6 s. n mov bx, cs
3 s5 i6 u1 |5 ~5 r5 @) b lea dx, int41handler2 w; b# n1 p' @! S& ^
xchg dx, es:[41h*4]
* _7 w: s5 |; i0 j: I4 d xchg bx, es:[41h*4+2]8 J, |8 I; l2 P. O
mov ax,4fh1 K) q1 }0 V* f, {; b9 Z* |" @& a
int 41h
& b: e9 @6 G# ]. ?- d* }7 I& H xchg dx, es:[41h*4]
2 o7 U8 I/ ^: }+ E, n K4 _% E6 D xchg bx, es:[41h*4+2]
/ Y" u" r0 @; u! u8 M cmp ax, 0f386h
$ {7 U! m' x9 f: p/ [ jz SoftICE_detected4 Z3 O! g/ D, y0 U* D o; k
3 i! b! u: {* p- h# C( Y2 j4 Wint41handler2 PROC
" A0 ^& [4 d6 u: R+ b iret
) K& z. G. u: v/ l b, lint41handler2 ENDP, `: z# \ [& u' `7 Z; c L
6 N3 x4 t5 x$ |3 F3 l, W
$ _" }& r& Y1 r/ N' y: K: R3 i_________________________________________________________________________
) q9 G/ \1 K% n3 O8 m; S& d+ ?6 z* d/ ^6 h
0 n4 `# P& z' `) \. CMethod 06
! ^: ?4 |. O5 l=========4 |$ l7 ~* R4 ?- i9 B( e
! x. b1 t' h( w: R1 ^1 V
& s! o6 W6 z( B( Q& o2 U2nd method similar to the preceding one but more difficult to detect: V# t8 a9 n4 z2 Q
8 V7 t% H0 I* ^6 T, E3 k; Y
# ^( R9 t" i) L+ bint41handler PROC
0 J1 k) X1 l$ x* ?( X9 z9 e mov cl,al, [6 g6 D% k m' I
iret
. h) A# ~! V5 E% G1 b. t/ eint41handler ENDP' T4 s, k$ L- g1 p
1 a* G% F) j2 M$ Y
. _6 U" D' F9 K xor ax,ax9 S1 m1 F3 }- {4 |7 M1 F, G4 n
mov es,ax' W/ y0 `5 U s2 u n8 z
mov bx, cs
' a+ @2 \" f2 R9 v lea dx, int41handler
' ~# ~7 L4 C* a) A& A xchg dx, es:[41h*4]4 U( R, v& |; i
xchg bx, es:[41h*4+2]
5 U4 e+ r' ?5 D9 P& J3 R: W3 {) r in al, 40h* z& f6 f1 R, q" i: k$ [
xor cx,cx6 u2 ^, ~5 ?. x+ N H- c/ f2 D
int 41h
# {! R+ Y( L: w3 I3 p8 { xchg dx, es:[41h*4]8 c, U' |9 n) h& ^
xchg bx, es:[41h*4+2]
7 V: J$ a# a4 x' e* V cmp cl,al" U3 ^8 ^ W6 m+ I
jnz SoftICE_detected2 u) Q: \% n5 k& {& A3 l9 H. d
' N* l# X! c+ }) a" h I
_________________________________________________________________________4 |9 H5 h7 \' ~/ j
- l6 i8 w2 G8 ?# o0 j- t, w( I, ?
Method 07* E# O9 M" M+ v! _' n4 U6 \' |9 X
=========2 W% g: `/ Q1 j6 x! ?
2 e$ z/ j! G6 L6 DMethod of detection of the WinICE handler in the int68h (V86)
/ @; ~. Z9 A! w) [" o( m
$ F4 L2 o0 p6 o mov ah,43h
7 j) P" [' b/ @# y2 @2 x# t* ] int 68h) ~ Q# P _" x; b5 p
cmp ax,0F386h. d4 U- P1 b% T, L
jz SoftICE_Detected* h; q& O& }* ]8 Z8 N$ p+ `3 h
* T3 T; @+ l7 ?( B& l6 y" e. {+ t; j, f& B
7 H. U* |% n, D q2 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ D3 Z' R. [) m app like this:
$ N' l* ^3 P8 S2 f, `9 \( r! [( r) l" f+ a
BPX exec_int if ax==681 {. w: R& E# B! [
(function called is located at byte ptr [ebp+1Dh] and client eip is
! f) D& ^+ j4 B1 ?& x located at [ebp+48h] for 32Bit apps)8 @3 `, u0 }# v
__________________________________________________________________________
4 Q7 Q1 T2 _$ [9 _* ~% `" A' D9 B: N4 a) o
2 o5 x; I5 |8 V6 z+ [2 D- xMethod 08
, M$ m+ Y: {( h* _4 C; k=========
: K: N% U. J( j. E. v% ?) o, j- o0 r6 n+ }
It is not a method of detection of SoftICE but a possibility to crash the
( j2 Y) Y4 l3 nsystem by intercepting int 01h and int 03h and redirecting them to another' E8 R& w: B x- v) Y
routine., U9 z, ?: S8 F( j+ ^( d0 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ [5 n* j. R/ z) F6 Pto the new routine to execute (hangs computer...)
, P c$ T1 l4 b: w, N+ Z6 u) f- V* x( S, R9 t* @" I! W3 ] ]
mov ah, 25h
; w: l/ ?7 n! E2 R; r: u mov al, Int_Number (01h or 03h)
# e* a; \: H/ } mov dx, offset New_Int_Routine
& a; H9 A0 _) H# u int 21h
" H+ z8 b+ O. ~5 `. W4 h$ s+ x6 k) R
1 f5 u7 R, r2 D k__________________________________________________________________________9 [) R o6 w5 d- X7 ?
3 j0 } ]) g# q7 }Method 09
& _0 f4 _# e/ `+ G6 O" h- k=========2 ~) X, Z3 \- d1 O
) i8 k S$ L" @2 D/ I8 \8 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 F% T! V. V4 \3 h4 O$ a7 u2 ~performed in ring0 (VxD or a ring3 app using the VxdCall).
: V/ `/ h; G, dThe Get_DDB service is used to determine whether or not a VxD is installed
$ X0 v; u5 d5 p5 ffor the specified device and returns a Device Description Block (in ecx) for
0 y* w3 p7 C3 P. nthat device if it is installed.
; \( h8 r" I; A: B& L
$ ?3 }& n* X" N/ B. K# D# C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
n, |3 U' L( c1 q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 h! t& `4 q" n8 r9 F/ L. l' a
VMMCall Get_DDB
0 B* z6 T+ r2 j; o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: x$ Z+ X& ?+ K- o* P& {9 G
$ Z7 K4 K. A. L: F# S6 b9 D9 iNote as well that you can easily detect this method with SoftICE:$ G. i: ~9 r8 v1 p/ V
bpx Get_DDB if ax==0202 || ax==7a5fh
d/ U" c E3 ]. v; v* \! ?" ]. W2 _- O& X9 H& s# X- p
__________________________________________________________________________
' |: P" z# |6 `$ Y1 o; R) F
& B. u% w3 [4 o7 Y6 nMethod 10
- O( i) t) k! }: ?- N2 x( ^4 g5 X, N=========
5 i6 k' d2 z0 o0 [) [' a8 ]( b
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 Q) R1 e K7 {6 n* ?
SoftICE while the option is enable!!
/ o+ b3 C, ~: U% s5 G/ I _. C" Z3 t/ T7 ~5 B! |, a" n
This trick is very efficient:
+ Q8 D6 t. z( _8 c/ \by checking the Debug Registers, you can detect if SoftICE is loaded
# l8 X0 B2 T v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ s" l3 A7 ], ~& H6 _& v( L
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 @* R: |7 x M1 M' V0 i
value (in ring0 only). Values can be manipulated and or changed as well
8 k8 j4 [. G6 A5 C& p+ j P! S(clearing BPMs for instance)3 Q( \% K8 W* Y! T
+ y: X) ^; p) |. {- u
__________________________________________________________________________
, { u- J/ V) c u$ M, H2 X9 [! b# L
2 n2 A1 d# Z" a6 \Method 11, _2 w+ ^ f0 u1 L1 u
=========+ W/ D, l' Q, i- t6 w
/ r. @/ {+ l) M( SThis method is most known as 'MeltICE' because it has been freely distributed) |1 [9 v$ F C$ Z
via www.winfiles.com. However it was first used by NuMega people to allow
& P* @* b2 }" Y4 R) l& @Symbol Loader to check if SoftICE was active or not (the code is located
' |* J7 I; f( L: [( o; m# qinside nmtrans.dll).2 }2 \/ d3 d# ]% r) B
; \# g5 b& g' w% l
The way it works is very simple:7 ]) N1 N1 Y/ I. l9 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 B4 X& c1 G8 q5 PWinNT) with the CreateFileA API.1 t% l- ?% X! ~/ B) S
" g2 C- w( X2 ^$ W
Here is a sample (checking for 'SICE'):
$ O0 U0 [$ U. v; |3 V. @
% [5 `5 J! h% i" iBOOL IsSoftIce95Loaded()
3 k! l2 O4 F% `* z5 q5 X `{- q9 C; V& \, c0 i! P- \0 x0 `
HANDLE hFile; & ]4 m! ^. a/ J' w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 [5 c4 g& k$ s, L4 `) p3 V6 V FILE_SHARE_READ | FILE_SHARE_WRITE,# k' I" F2 w+ ~5 i* G/ l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( |9 b: {# T9 W( z4 L2 J! T if( hFile != INVALID_HANDLE_VALUE )
7 u% ^2 V9 c( h* U/ U1 h {3 M& y1 s. j& F2 r9 P* V
CloseHandle(hFile);" J' u1 }! F4 S; S" e: U+ Q
return TRUE;
7 M) _& T# w8 Q3 \# ^ }! l$ i S( e5 f
return FALSE;6 \$ d4 F5 N: G- z2 C, M
}& O" e% p7 p \" X. ~
/ `. ] r: T. A
Although this trick calls the CreateFileA function, don't even expect to be
7 ]* j% c' K1 ^ | n2 Cable to intercept it by installing a IFS hook: it will not work, no way! N; B V! b& q$ P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- Q2 j! |9 S% i% g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 t7 t+ ^% ~4 v) ~7 J; _and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 r% R2 t- _) `7 e; K
field.
+ @, E8 K! ~1 ]& MIn fact, its purpose is not to load/unload VxDs but only to send a
6 b- {4 A. ]" _, B2 F9 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 w+ C- {; G# I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ q& e# O5 n/ ]4 O. B! }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 [5 D; K' K5 e# S6 W e" u. y# ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 j2 k! v" T4 P# ~6 nits handle to be opened and then, will be detected.1 [7 `+ G: H2 h/ m1 ]+ x$ n
You can check that simply by hooking Winice.exe control proc entry point
( b! S$ E: h1 n- uwhile running MeltICE.8 S6 S! U/ c8 v6 f7 q
" z/ p$ l: l' U5 d: m+ f) P5 h4 q8 I5 J. J* d- t3 M
00401067: push 00402025 ; \\.\SICE1 z6 u" k# r8 W+ d6 T" ?# [4 F; Z5 `
0040106C: call CreateFileA4 j* { c0 M7 N
00401071: cmp eax,-001
* e$ |8 e V! R, i$ s 00401074: je 00401091% }" w8 Y2 D! L/ X5 d; V
- j3 t, h; x0 O: [
3 B! J0 F7 J; L* q. x
There could be hundreds of BPX you could use to detect this trick.
k# m2 v5 r; H$ ]0 M-The most classical one is:( F& K9 [* h t4 o/ t. Z# U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ `- ^6 [0 S3 B6 ]1 B9 d0 g6 m- e *(esp->4+4)=='NTIC'
3 A7 P" d. N& a$ |
; C% d0 N) C, U-The most exotic ones (could be very slooooow :-(1 W" y0 a7 l4 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & |) Z# p5 A' V7 _ B
;will break 3 times :-(
) s- L, |4 Z7 e* T1 G; ~: i# d: c2 g; t! z; x7 I# i
-or (a bit) faster: / _5 K9 ~$ R2 A5 _3 X \8 s) c2 s$ @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 ~+ ]# {* S- |* F6 z6 j% H# {* B0 ~! U' W# j' J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 S3 e+ y) G, _/ v0 p3 S; ^ ;will break 3 times :-(
4 T- c; O/ V6 g: n& _! q; C: K4 o. e1 A$ }( Z" c
-Much faster:
6 K9 T" z0 B8 j2 L! W6 ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( w; O: D. s) X$ A% c
% {+ D& V+ p9 A+ {; ?4 f3 ^3 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ X% v, q2 j) d. q: Y* h
function to do the same job:
, X: @5 O1 s5 a7 f- x% g$ @; Y' e/ E( P
push 00 ; OF_READ
( d/ g; u$ t. T/ u; Z* W) r- | mov eax,[00656634] ; '\\.\SICE',0
1 Q5 z3 j9 F9 \ F+ T& V# C push eax
7 U+ t% S& G- _1 y* s r call KERNEL32!_lopen
0 w. l- c$ M) R2 J$ ?- G8 N/ c inc eax; x$ b' Y5 X: G. X" h' }" c# q
jnz 00650589 ; detected N! V1 y) E& U. `$ R* d, y4 P
push 00 ; OF_READ" K3 {! p* @* I8 n& {
mov eax,[00656638] ; '\\.\SICE'1 U' S. M: R; A y- n$ \
push eax3 v1 \2 m& O; e$ ^/ P9 W
call KERNEL32!_lopen9 v2 G8 v# M1 t# s; ~- }* H8 N
inc eax% p3 u) o" k, g$ o, A- z+ M
jz 006505ae ; not detected1 N" X2 K$ o6 c4 Y' P# j% V
5 B+ M- t% i+ a4 m( E( {
/ _# Y4 t3 j4 B; K% p0 O__________________________________________________________________________; L- z: D6 x+ G* u' G
- c% G1 G2 [/ B
Method 12
1 F: t# y5 ]/ `$ C+ ~* k. e=========' v" P9 s* {' N1 n- H3 o* v$ o
# W" L4 W. M& T* y8 _This trick is similar to int41h/4fh Debugger installation check (code 051 x3 k h) W, b: S* R. t. a) i% ]
& 06) but very limited because it's only available for Win95/98 (not NT)3 X8 J& C, _( W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 _# V4 }1 b0 q% N( w8 m
1 _, Z0 q0 N& q
push 0000004fh ; function 4fh
5 B! G0 ]1 x" x9 {' [4 @, O! L push 002a002ah ; high word specifies which VxD (VWIN32)
: J( `. P* G9 ?' I0 z ; low word specifies which service+ s1 l" n' M+ h% v, v0 X$ T
(VWIN32_Int41Dispatch)2 {5 V- C; K( ? j
call Kernel32!ORD_001 ; VxdCall! y6 O6 G, v' e5 f
cmp ax, 0f386h ; magic number returned by system debuggers
8 R9 b# v4 \$ u jz SoftICE_detected
- N5 \" ~& D0 d- }) `* X/ D7 p z' q
Here again, several ways to detect it:" @# x3 f' |3 ~
t8 S9 c" B! Y5 I, ^2 V/ {* Z BPINT 41 if ax==4f+ e6 s& g+ `# T& A/ y. S+ x
7 e5 v& D; w; y" \( a$ E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 |7 R0 h" w4 D6 y: {; F
+ ^' Y' U$ T6 |; T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) Y% x) b" \- j( Y2 t% X: l! M( V* p0 ^( q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- J7 f8 f" D7 y; c
. ` ^* k! H q" g__________________________________________________________________________
6 c' u# g7 `; V( I4 g: h; W1 b2 n) S9 O+ G2 I
Method 13
0 {) r/ M/ c( m( \+ L9 o! K; H=========$ i/ N# ]& D/ I) M( q2 B! E# J
/ z. S$ J. b8 s% b9 F& M# M
Not a real method of detection, but a good way to know if SoftICE is
% @" L0 }7 u0 B! f. [ d4 t' f- cinstalled on a computer and to locate its installation directory.# w5 o$ a' ~/ G6 J: R# ]1 A
It is used by few softs which access the following registry keys (usually #2) :1 {0 m. y2 S) r5 ~. E
* N" B! T) m9 s/ F& x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. r; {: y$ U7 T$ y/ W
\Uninstall\SoftICE
7 F+ L8 ?1 o( E( m+ }8 F% W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ W- q0 r0 s3 n2 B2 _2 G: z( m3 K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# A9 G, e& J5 |, ^$ }; a" C p\App Paths\Loader32.Exe
0 ^9 e7 V! B0 i) j1 l; n
6 U: x3 i. o" h, C! b- G0 h
1 g% U" Y1 z7 `8 w# C, r5 X" K, KNote that some nasty apps could then erase all files from SoftICE directory
9 {' w& [( B( ~: r- u- x+ V9 u3 H(I faced that once :-(
2 M; V! b( L- _9 l0 y3 j, `
' E2 b$ G. \# y- f+ ]9 yUseful breakpoint to detect it:8 b3 e* i$ Q1 P" X1 c; H: A" U$ t
( Y" R3 W" P d& `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 p2 c9 G s! M8 N& c6 D$ s* v. [5 c3 u( U6 u" _5 K5 q/ ~' }
__________________________________________________________________________
/ ~, K N- O$ H2 l9 G T) |* q. f% c5 q Z
" ^ K, J0 [9 U; ]& c3 B
Method 14
4 z( o. O+ y/ c$ N7 |; P" r( O! r=========
4 h3 J) f5 C! ]2 K. R$ B9 W7 l+ T: [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
y$ p! h# j. n+ \9 P8 @# Wis to determines whether a debugger is running on your system (ring0 only).
v1 L$ S M5 S. T4 r, Y8 y+ }) K' E. }2 ^4 q
VMMCall Test_Debug_Installed
2 f, A v. B, `8 C+ U; Y je not_installed' O. C" q& h G; v
( D; H: I2 ~4 t [1 X' A* x+ j
This service just checks a flag.
# Y7 e3 `! a$ d+ [$ q4 J! C</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡