<TABLE width=500>
: s+ f& U" e R<TBODY>
" z2 g5 X! o; U9 U' r, B<TR>
+ P5 a# g2 x G0 p1 V' U<TD><PRE>Method 01 9 P I1 _+ z. d
=========
! u0 [4 H/ u. N7 W# @3 c: O; C( p! l' ]6 C( k5 C
This method of detection of SoftICE (as well as the following one) is& H% b- C( t; z: V1 J
used by the majority of packers/encryptors found on Internet.
& J1 x% I2 r9 B" vIt seeks the signature of BoundsChecker in SoftICE- h+ Z3 g% P8 q& q: G/ [# T
$ ]3 R1 L6 B* `* y
mov ebp, 04243484Bh ; 'BCHK'
+ g b- P( ^+ I. B1 W) H mov ax, 04h
% t2 d! P- F# m" V1 [$ I int 3 8 J0 e1 y0 Z. @+ N7 q: E' c* S
cmp al,4
6 E3 ]) G" W9 `9 ?4 O jnz SoftICE_Detected
6 z, ^' O8 \( V( U/ j8 j
& `; X" ?* k2 X2 W6 Q4 M; v% W+ v___________________________________________________________________________
3 E# j7 B* E& [( c3 k0 X+ ~0 L g" O4 [3 o2 n) B Z4 N
Method 02 w! R N1 _+ D3 z) H
=========
# M- b9 F" g! G% t4 ?* I9 t6 j- i; [- ]: j+ Z1 \* P0 d X) c# t1 `$ i
Still a method very much used (perhaps the most frequent one). It is used4 L0 u) r& p' p( ]; `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& p0 [0 h0 I; \& A/ r% Mor execute SoftICE commands...( B: j2 K, j. S- W; [9 }9 s
It is also used to crash SoftICE and to force it to execute any commands
3 m5 l8 }; Y& v8 D8 _8 u$ X(HBOOT...) :-(( " s. J8 u( H) d/ R
; q. R8 V5 I$ U% a" lHere is a quick description:( X8 s2 e# o9 D! c k; j
-AX = 0910h (Display string in SIce windows)' O) J+ N+ p) [0 f: k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& N& B4 L/ d, o5 A4 R
-AX = 0912h (Get breakpoint infos)
F+ n0 |" U1 t( [# A0 E& _-AX = 0913h (Set Sice breakpoints)
& E4 _7 ^" L% l6 u' [! s g-AX = 0914h (Remove SIce breakoints)
2 N' l. t: W8 h2 s1 B4 I/ v# O7 W
$ R: F: L Z: w! Z \& {Each time you'll meet this trick, you'll see:& b; U7 A) s! q: B: S$ L/ m7 {! [
-SI = 4647h
$ N/ [5 k1 i( F; `/ {-DI = 4A4Dh
( `6 g S6 n9 w2 MWhich are the 'magic values' used by SoftIce.% O" u$ `; I5 x4 c6 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ H! I4 g6 l& ?0 H, k
0 V# l" J. ^3 H3 H3 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 e! o( Q( t5 }9 p- J
Envelope utility use to protect DOS applications:
" {1 q' v' w; j- Y8 L
* r; N- G8 l3 E( _+ Q$ ~% r/ a9 A5 b& j& B. e
4C19:0095 MOV AX,0911 ; execute command.
5 b' `/ U/ _3 X R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! O# m( \* c5 _; i. B
4C19:009A MOV SI,4647 ; 1st magic value.( r2 p' y0 s+ @5 _: b7 A+ S. r2 L& F
4C19:009D MOV DI,4A4D ; 2nd magic value.
; m7 q# x7 L: \4 Y! p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& ^6 H& t& z, n. N6 p. J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( E G) x8 d" _: [4C19:00A4 INC CX
7 p9 m1 S; Y( |6 D/ _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 i. q& e# d% n3 C4 N3 V3 a) _4C19:00A8 JB 0095 ; 6 different commands.2 n0 _: H: A. Q+ X, g8 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. ^% e+ b8 y0 ~( T' ~4 p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 I# }; r% E" H/ x1 ~0 l
, g6 T5 y( ~0 H7 e- l F) L: u3 ]2 \The program will execute 6 different SIce commands located at ds:dx, which
: [8 ?( O' C8 B7 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; X/ a0 @" w# K" O
7 n c+ x# F) T( r/ c/ |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- }5 f3 l' q) P9 J
___________________________________________________________________________
" `: [4 t( }9 v( C- f# i4 I- w7 v2 M# j/ B( _" H" P
8 q4 ~& M* |4 Z1 j+ HMethod 03" t8 h/ y* H3 } d
=========
^) u O# A- _5 n- ^
# w `0 O. N2 pLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; t/ \+ }; S8 {# U1 ?" z- _
(API Get entry point)& l4 o3 R* @" |# S! r
! g9 |; D5 C# c s6 @' L! u# W
" p2 ^ u, M/ y1 T1 ^) q4 R
xor di,di% D' k' T' s$ h
mov es,di: q& G v) ^) F! J
mov ax, 1684h 4 @, T% t0 O3 K' a( H
mov bx, 0202h ; VxD ID of winice
5 a3 [/ e% w% A8 d int 2Fh8 Q9 X4 w0 a; a9 h2 m# ~4 A
mov ax, es ; ES:DI -> VxD API entry point! e* X0 J5 L3 a' ]" ~$ j
add ax, di
6 {5 ^6 c/ i# W8 a( s! F9 @8 D test ax,ax
, q) N( t. Y: A- {1 g1 v/ } jnz SoftICE_Detected
# n; s/ |' C& i
1 g5 w) G7 j# Y" G v___________________________________________________________________________( a9 k, T; G& |7 W2 q
5 p9 D+ R9 ~1 ^ @; P6 aMethod 04
* r+ i% k, ]9 k- {7 x4 G' {' z=========
. L2 R4 f" ]$ x+ O
) n/ k' N; d7 \9 ~Method identical to the preceding one except that it seeks the ID of SoftICE* b) \7 z4 k9 a' `0 ~* B5 ?+ I
GFX VxD.
* I0 A& b/ v6 G, x4 f: q
/ a Z; h+ t6 U xor di,di2 Q% K( L% e: w4 Y0 h
mov es,di
; J3 ?6 ]* ^ x8 ?. i) J+ y mov ax, 1684h
3 l# ~* n/ ~. K. Y$ j3 p mov bx, 7a5Fh ; VxD ID of SIWVID
' Y4 A6 z/ i8 E% \) ]( k3 f) v7 P int 2fh. T. r& p1 G4 x+ s, a# R/ o& q. \! [
mov ax, es ; ES:DI -> VxD API entry point
/ {% G( l- a% C* P7 p, P% |- o3 z add ax, di
7 M% l9 V2 H! ?7 ^8 s test ax,ax
5 i0 K, h/ g9 D+ R jnz SoftICE_Detected8 G. \6 l: u5 t
1 Y2 e5 V4 p8 C& @+ u" ___________________________________________________________________________
. w) `5 y5 D e! m r4 E
8 d; g; \# d. h) G6 o& g) C+ I, l7 M) m1 _8 P
Method 05
2 z0 }8 }+ Q2 z6 i- |7 g=========( l7 O" i$ }* e' P5 ?9 b
: |4 H6 q+ d7 A4 g* r0 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" m9 K/ {. b- f" pdebugger. It calls the int 41h, function 4Fh.
. r) J5 O5 E( W# b7 b+ [' o, RThere are several alternatives.
" W# x$ U+ M2 e( p: e4 R4 g' h
8 y y4 Z5 o+ \) oThe following one is the simplest:- I0 v$ d6 H; L7 w
* }- e4 C, U j# m8 p
mov ax,4fh
$ N6 w" U9 R7 V int 41h2 J5 f( g% ?/ \! V. V! S7 G+ Z
cmp ax, 0F386* p1 ^4 r+ M0 Q9 L, Y
jz SoftICE_detected3 l: H* E; T) ~
( p/ x$ R. h! T' W
0 p9 i Z2 L* [7 Y& jNext method as well as the following one are 2 examples from Stone's
/ ]+ }2 R! h% |+ g" _"stn-wid.zip" (www.cracking.net):2 J7 T. E( b. x, U1 [
6 c7 V+ Y3 y" k: `( @
mov bx, cs! ?7 K; t. m; I7 V
lea dx, int41handler2
2 @8 ?( F0 ]9 S. m* V xchg dx, es:[41h*4]
& b$ i. [+ ~8 J Q( j7 l xchg bx, es:[41h*4+2]
* [4 q: V+ [1 b% W4 s+ u4 Q5 l mov ax,4fh- e4 `" I- z. s1 O
int 41h
1 j9 h6 {- z7 O4 P3 d" F" t/ L xchg dx, es:[41h*4]
8 U8 v* |# r$ ^8 S* z" C. ]3 z xchg bx, es:[41h*4+2]
* S, ^( |6 }: h5 S cmp ax, 0f386h9 k7 K1 K' ^. R3 _0 [* Y
jz SoftICE_detected/ J0 J3 E* s* o F e
7 A! ?, j; Y9 H' K+ \
int41handler2 PROC
3 i6 s" G/ j+ y' O iret% l5 R" @# ~. }$ L
int41handler2 ENDP. y h! }' G- p; B/ V+ v
7 e# r) Y; @8 I. c1 w5 h& ^" O8 D& I
9 M6 n( G9 a9 d: P3 D
_________________________________________________________________________- Y( V, s# R5 d
9 x6 |! q5 t8 U" c/ ]
; i7 j. |! T6 B& H) h6 k* y" D
Method 06
/ f8 ?% E8 O$ V# H3 q( ?=========
0 [# @" J2 e: g$ f( x2 K
+ M3 |- x4 r& a2 u# t
6 e2 l+ t, L! i1 O2nd method similar to the preceding one but more difficult to detect:
: f& x+ o' ^5 j- Q$ W% M: N5 j4 m+ C! k6 A3 H1 Z
3 A3 i9 u( W! F, Z
int41handler PROC: {' Y) ^3 f, c8 w8 n$ P
mov cl,al' \6 I( J# m) t5 k P1 O
iret
# V0 V8 z' ~" h+ X' Yint41handler ENDP1 g% N) L. K8 j% }" ^5 C8 b
% q8 `) `5 m0 m
, @" s8 U" J- H& C: D9 }% L' O0 X xor ax,ax* ~0 ~ l( z2 v4 l% D" E" i, J
mov es,ax
8 f; c9 S! X1 ?; z2 O mov bx, cs% ~ Y+ p$ {8 d8 L# j1 H' H, r
lea dx, int41handler
* }3 F% j& l2 ?6 B( a' a9 H xchg dx, es:[41h*4], t# D/ d7 r* @: V) C/ [) I
xchg bx, es:[41h*4+2]
" H" H' G6 ^3 o in al, 40h% B, V% I8 T0 w/ _6 L" g1 }& t
xor cx,cx+ g- K' K3 {2 `7 j% [& L
int 41h$ X* g0 S$ T( L4 _
xchg dx, es:[41h*4]
2 m0 N0 k1 C0 O/ m/ R xchg bx, es:[41h*4+2]
' P8 y- Y$ n; ^( k2 O cmp cl,al
! ~8 T% w* p1 G5 b2 }6 v jnz SoftICE_detected# S2 j2 p* X) ^% ? u- u
/ ?' p8 }9 |" i1 O) V1 F- e
_________________________________________________________________________& Y) H9 x! v. u; R7 n
9 L# h! f6 _& b% p" X% B, Y! V, @. rMethod 07
2 T( O& S* T- j: q. G=========
1 o6 v" W n% N- ~+ _5 k' M: O! @6 X0 d
Method of detection of the WinICE handler in the int68h (V86)
( s/ ~) Y+ v6 U7 e+ F/ o3 g
; N+ Q6 y6 Y- Z: f9 P4 ~1 y mov ah,43h a H. j4 z! s
int 68h
; s+ \6 S @3 z: G% h3 h! H cmp ax,0F386h6 D5 y4 ]- F: y- }
jz SoftICE_Detected. b9 C% i$ g7 g3 g% w X$ ?) y
7 P3 \% P1 b8 n7 u! D: r! I+ ], b: ]
5 N! f J$ D; t" A ^# H0 p3 K: J7 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
|! L- D& I, H app like this:9 X7 n9 d' S2 [0 |7 k9 J
+ ~6 o0 H& W- v# [& Z, G1 m- H! o* z
BPX exec_int if ax==68% s$ W# f i! _8 S
(function called is located at byte ptr [ebp+1Dh] and client eip is0 B) ]# O6 d) b! I
located at [ebp+48h] for 32Bit apps)
# g) l3 P- p# `; U__________________________________________________________________________8 s' I# [3 b/ l( g% R. a% N
* s" z! n, N* I4 l, j
; ?( L* y) d; K# eMethod 08
/ I3 F# ~, f3 P+ a& b- `8 [4 e) J=========
; J0 D. m' ^6 U. d3 X$ G* v! T/ P2 v# n
It is not a method of detection of SoftICE but a possibility to crash the; h" m1 F, L# A7 E
system by intercepting int 01h and int 03h and redirecting them to another2 V$ _! ~+ N2 r; g2 B
routine.# Y* i! r( A* L, i# ^8 o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points @/ W8 C% J" n! A" N
to the new routine to execute (hangs computer...)) L4 [8 |7 \$ `3 }
$ T) u: F, P! Y% b5 w$ l mov ah, 25h
" o6 _6 ?/ J* |/ _ mov al, Int_Number (01h or 03h)
# R8 x1 ]; d1 c1 ^" D1 \ mov dx, offset New_Int_Routine
h- N' x: @! i) R3 |$ `2 C int 21h
9 ?7 H; }- L9 k" y3 [# u2 _- X% P4 t# D, R
__________________________________________________________________________( E, L9 R* X" ^+ w
8 ~! {0 a8 B" YMethod 09
) x. E0 m( s5 t=========( K2 ]4 l# H. s' f0 t
7 U e' R9 ^! l+ J+ F4 s, P, j8 x: w% yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" m/ C4 M7 G" Bperformed in ring0 (VxD or a ring3 app using the VxdCall). |9 g0 d2 x7 y- T5 d
The Get_DDB service is used to determine whether or not a VxD is installed
- I L" K, r2 c+ U# f/ k3 p% rfor the specified device and returns a Device Description Block (in ecx) for$ q+ F/ e3 @1 v# R
that device if it is installed.0 {0 E& `; X7 ~0 n% P1 B7 t- p$ W/ b1 X5 P
0 h* s+ q, b1 Z6 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 r- j' m: ]2 J4 r) z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! t' a9 j: W7 A' u e
VMMCall Get_DDB
4 X/ x, P: l( J6 f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; l# X, S. }& f7 J( J' x* j
' d: H' [; U& }+ o4 M1 _( }9 `Note as well that you can easily detect this method with SoftICE:" n3 t5 ~( Y3 T E
bpx Get_DDB if ax==0202 || ax==7a5fh+ j5 Q# t1 A: M2 f8 X C( k
4 c9 g5 _$ S) S' f) K__________________________________________________________________________
( n1 J% j! A3 [% ~. A4 v/ V; g5 ^* I0 W- [
Method 10
2 {! J" ?6 k8 p4 U=========
* [9 o: P- h U% x. H
0 l, @4 I6 {& H! I7 L& j8 |=>Disable or clear breakpoints before using this feature. DO NOT trace with! ~! {+ c3 T. v; y/ Y
SoftICE while the option is enable!!3 o- j/ L: d* g9 x5 F& p
f0 {5 H, v' t
This trick is very efficient:
2 P: L+ H2 ^! J' rby checking the Debug Registers, you can detect if SoftICE is loaded
5 L) x3 n9 f/ R) ^; a. G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, Q' u x/ u @4 [! S5 z Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
& A7 p7 K2 {' C6 X8 v9 tvalue (in ring0 only). Values can be manipulated and or changed as well
+ _4 Z, s5 ^& O l(clearing BPMs for instance)
! I8 @0 E/ P& @+ L
; k( A% e+ d; S+ |, _8 c0 S__________________________________________________________________________) A# t% O7 r7 ~1 D
2 ~+ ?5 a- W# ^- x P; Z; G. mMethod 116 c- @+ u, C! ~+ K! y" C* U
=========
. ~0 V4 [6 b- D4 c# f9 M; a+ j( e! T2 x0 a4 p' L; X
This method is most known as 'MeltICE' because it has been freely distributed
& Z, Q5 l+ F2 I% ], U9 zvia www.winfiles.com. However it was first used by NuMega people to allow1 l& x* E2 u, {' p, D$ {
Symbol Loader to check if SoftICE was active or not (the code is located; \* }# l3 b$ W. T8 W% g
inside nmtrans.dll).
N9 [( V! u% B" c" r2 l4 @% J$ `' c' @: | w- ?) X2 T
The way it works is very simple:
+ a& a+ {# Q5 YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ w: N6 Y: c; I1 @# d4 X1 T0 s. B4 ~! q& _
WinNT) with the CreateFileA API.
" X3 b' H4 |* Y3 y, R3 C4 s6 d P$ e' q/ q6 R6 p4 b1 H4 h2 Z0 Y
Here is a sample (checking for 'SICE'):
9 v" X- F6 H/ L( R1 r
! N1 F* L" r9 u: I; v0 Q6 xBOOL IsSoftIce95Loaded()" F9 h3 A1 v, `9 p1 R
{" ]5 C( }2 y9 R9 \- c& r0 v
HANDLE hFile; 0 R% v% t3 g# l7 R3 Z) H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' |) ?- Z. D: W' o FILE_SHARE_READ | FILE_SHARE_WRITE,; T* u& {! v% Z/ M4 m G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 d. v+ i3 u, s8 \9 {+ E7 {
if( hFile != INVALID_HANDLE_VALUE )8 ]) | h: h% X/ Q/ k d) d
{
$ \3 ` `! m; e: F K8 x CloseHandle(hFile);2 n8 l% P1 L6 a7 ~7 f; U
return TRUE;
& H7 u( ]& g% f- O; | }
+ w/ m% K; J! o; \' }$ x. c return FALSE;8 w9 d/ x r+ s6 `, W
}1 |1 o4 S+ Y1 a1 a) d- ]* V9 N1 Q
/ f# K6 y! g I* `6 w6 k: f
Although this trick calls the CreateFileA function, don't even expect to be0 P% e- \ j) Y6 o2 O
able to intercept it by installing a IFS hook: it will not work, no way!
$ X, x m% J! _8 i; u3 O/ t% ]3 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. n$ Y7 W& h3 j6 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 ~7 i6 ^0 N Q1 ^" u( b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) s- M- |5 y' E. tfield.
8 E, h' E9 F5 x- }4 FIn fact, its purpose is not to load/unload VxDs but only to send a ; a f' Y. w/ q" S: @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( }8 p9 ]2 b- o) \3 p. r4 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try R0 c! ?4 h' `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 \, P: {5 o Z% k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# r% ^ `, e' Vits handle to be opened and then, will be detected.
6 A+ e: D/ h4 l: @; q$ MYou can check that simply by hooking Winice.exe control proc entry point
# f; u4 J( S$ p% P& K' S- h" ewhile running MeltICE.0 F" s0 n( |; r. O5 p9 @2 F
: x" d$ I! R: z/ p- L% G
4 h$ d5 k+ I8 Q 00401067: push 00402025 ; \\.\SICE
- d# { j* P8 [, K- O 0040106C: call CreateFileA
9 f4 W/ u" P. r9 a2 c 00401071: cmp eax,-0015 R+ }7 v ]" o1 W, K. Q
00401074: je 00401091
% { z. d( }6 V8 K* s
+ L- c9 q* z- F e9 E% N
. Z7 ~/ D5 I) K. A2 l) oThere could be hundreds of BPX you could use to detect this trick.. j/ g+ a9 J! A% t0 J. A' T
-The most classical one is:
; R8 U1 C2 ^+ N2 e! W& I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ e7 q) _% {2 j$ s% n
*(esp->4+4)=='NTIC'; r& `; q& r6 [/ x
0 b; s4 E4 \0 L0 u
-The most exotic ones (could be very slooooow :-(
+ `1 M; C% r) `) f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 t; r' g2 E/ x) R$ Y" W
;will break 3 times :-(3 M5 b; }1 j! M _2 H
. N4 L1 M) a9 G8 P* d1 |& j
-or (a bit) faster:
" }5 M4 {2 {( v; g3 ?7 W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# Y8 r, K$ O! {
" q8 u+ f# K! A- U5 A: t( p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- [- r7 t1 Q3 k2 ?' ?: M! B* P ;will break 3 times :-(! {' S0 m& I8 W/ \
) I# Q/ C1 _ C( L" K-Much faster:
7 q3 e7 J' I! z9 S2 u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& b0 \6 y7 L5 c/ { ?
$ k5 l3 A7 U% ]9 J' TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' O! x# ^6 b4 k5 B3 W1 f) N
function to do the same job:; s2 z" h" g" M% a0 ?! }) }
! E3 A2 B3 m. Y7 o
push 00 ; OF_READ
, g u0 ~7 T9 ]: ] mov eax,[00656634] ; '\\.\SICE',0
7 m* p9 Z5 y [& J5 s6 N4 E push eax* v& B4 \: ^( b0 F
call KERNEL32!_lopen
8 k& _) x7 p0 g+ C3 [4 h! u4 _3 B inc eax
% A7 C! z* O6 M3 b jnz 00650589 ; detected
! h+ B$ A( R+ J; _/ U5 t% N push 00 ; OF_READ
' o& `7 `* v, n mov eax,[00656638] ; '\\.\SICE'
) V2 R4 B4 E9 ~, U. Z push eax
3 ]0 S6 c7 S3 S' {6 ~% \% ~) V& B call KERNEL32!_lopen
9 h$ ^) Z8 o, m% F' E" }& Y8 k inc eax2 z5 s( g! {* c" R7 K) f& A8 l
jz 006505ae ; not detected
/ l6 F. ~) n1 Z1 b) ]1 j5 p
4 {7 j# G4 M0 |( z' g% C2 Q$ O
6 A" M0 t& ?/ Q9 K+ [( f0 ~__________________________________________________________________________4 V" ^1 `* [! F( k
3 U& ^: s r5 z+ ]7 l' I T5 z8 fMethod 12: w% D. {/ s( L- Z) Y0 I* P
=========
0 Z( P- ~- V2 m8 d: G" ]0 v* g7 z' b9 R$ O% p2 d7 k# J
This trick is similar to int41h/4fh Debugger installation check (code 05
$ t& m3 ]8 m+ x0 [3 ?& 06) but very limited because it's only available for Win95/98 (not NT)% ` [- c( o3 p8 w; T! Y8 y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ I& C5 `8 Y. j* L
/ Q; N5 m; C" |, v push 0000004fh ; function 4fh# }% W! G8 Q1 R) |
push 002a002ah ; high word specifies which VxD (VWIN32)
$ n8 D& M1 \& e3 Z$ ?: J5 G+ F9 y ; low word specifies which service
8 d0 y/ a0 a" ]6 n1 h (VWIN32_Int41Dispatch)
: V. D' O& x" k; ?7 | call Kernel32!ORD_001 ; VxdCall
: q- U o) z% z6 W/ ~, C6 ]7 S cmp ax, 0f386h ; magic number returned by system debuggers: l! }, F; x- X* F# f/ R$ s
jz SoftICE_detected# c4 P K& [2 V' H/ J" n
* z2 V+ }! I, d. U# s* U8 fHere again, several ways to detect it:
: I9 Q" g2 f- h% o) d4 V$ s' L0 D: d, f% i
BPINT 41 if ax==4f
, U& y) l; x; z
: \$ q- U4 x6 a) m; ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! C- V+ s0 k6 W9 u. j, i8 a# @; K
# a/ E4 }, g) l6 m* E9 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 u9 P$ Y: g8 c: o
2 j+ c, T- P0 W' T1 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, Z) ^! K9 F; I. R
8 L* {+ Y# C$ v- r9 Q__________________________________________________________________________
7 \3 X/ n2 S7 O2 F0 Z
% b6 u" o- R9 n# g& }% y: ^Method 13% t- l8 Z: S- ] H3 s! @: [
=========
/ [- j t+ {5 N* X
5 G: w! g0 H5 s iNot a real method of detection, but a good way to know if SoftICE is
; c3 b6 {' j r' Q9 Q* X9 c- O! Ninstalled on a computer and to locate its installation directory.; ~) l- g6 F( l* @
It is used by few softs which access the following registry keys (usually #2) :; G+ A7 f; L0 _
; k2 l0 ~5 o" S& p! A, z4 R! W/ ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 d" M4 z* {" A, A0 T* [\Uninstall\SoftICE
( U# T" E: y# c/ I) w- ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# H5 }4 }# M2 E+ B7 H0 v) H8 X |. P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ T) j1 j; s9 T4 f2 a4 s7 \\App Paths\Loader32.Exe
9 s1 D0 d9 [. x N& \- Q, o* T& Q l! p% |
2 n8 g( I" ^( c! O: n- k$ |+ aNote that some nasty apps could then erase all files from SoftICE directory+ A5 i1 W+ q0 R/ K& v7 \8 X
(I faced that once :-(0 l1 U. S) E& j
8 U6 E" q! J. t$ ?% S$ pUseful breakpoint to detect it:
( r1 a! T4 U& R* g4 a. |; M0 e
( l, O$ O% c( P1 N" \3 Q; t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. j. V" V1 W# a5 W* b3 j$ Y
' I" G6 c, M+ Z, j. A0 V
__________________________________________________________________________9 e4 P( E, H) O% r( l
( g" O% X k4 j
' A8 h9 f9 p. {
Method 14
6 X6 R0 [3 T0 F/ z, N=========# a3 {; s0 a. _4 A
2 ~4 r9 }* |$ KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 A$ R" }# p; U; Q1 g0 w5 P7 F' Iis to determines whether a debugger is running on your system (ring0 only).
& {! u) h0 [5 t% p2 z2 A8 z7 p
, `% q% h: {) i5 X+ |( m5 P VMMCall Test_Debug_Installed& Q# i% r9 p" r+ a' U' {3 u7 R, ~
je not_installed
, H+ ~/ b4 A" X; i5 J: ~7 j7 }2 z J( l1 I& E+ g" t" i, ^3 L% `5 n7 t
This service just checks a flag.. q4 ]! k# e$ z$ V2 @# j& S) M/ P
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡