<TABLE width=500>- ]& r3 N1 z4 d) E5 F
<TBODY>3 n" ~- F. X, S- ?( f) ]
<TR>
$ E* e# z1 H* D4 n<TD><PRE>Method 01 ) w! ]: g9 p7 V' q" r) V
=========
# r* \* J5 Q7 t
: g. j: {9 e+ u0 s1 PThis method of detection of SoftICE (as well as the following one) is( K% ]$ R3 K, m/ L& k( c
used by the majority of packers/encryptors found on Internet.
) Q8 w! I. _6 m" p. \It seeks the signature of BoundsChecker in SoftICE
p _4 v, G% A( M9 u; R4 }! |) j
mov ebp, 04243484Bh ; 'BCHK'4 Z& {6 c* c3 d9 ^
mov ax, 04h
- i9 G/ _# F4 v3 o; U9 E5 S+ m int 3
6 r, U* j* W, ~; g9 [, m' H- H cmp al,4
; L! L6 a" f1 d6 Y) o% I# | jnz SoftICE_Detected) M9 {9 \7 G/ z' X$ f
& D6 W' C& t' A1 h2 H1 T
___________________________________________________________________________: B d: E; v2 E; F- q5 G5 Q1 G
% R8 }6 Y9 L ]( R* G. r
Method 02
3 P+ U2 W5 _) \3 L5 V=========6 L7 [3 u9 B; s& L0 |
/ o) m% D x5 Q9 ^9 t
Still a method very much used (perhaps the most frequent one). It is used
4 P$ b6 W4 g' ?6 {1 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! [0 e' I: m1 ^; \* ~ w- lor execute SoftICE commands...1 @+ G5 B' J8 [' p, A
It is also used to crash SoftICE and to force it to execute any commands
0 V- x: g5 V# \+ [(HBOOT...) :-((
& A& F/ F4 [- n1 v0 ]( \
; @1 [9 v& B0 m/ Z! X- M9 p# p0 sHere is a quick description:1 I T1 c: a& q) P$ ?9 \2 w8 P
-AX = 0910h (Display string in SIce windows)/ Y W+ M2 @, ^1 p
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 k; Y; e. J- E/ R, Y; e
-AX = 0912h (Get breakpoint infos)
3 N9 O5 l( `0 B. z5 I1 ^-AX = 0913h (Set Sice breakpoints)! ]* i6 ]# k+ o2 j0 u' P" B
-AX = 0914h (Remove SIce breakoints)
- Z. ]2 D! ~0 X) @! S; H) r1 f% Y1 f6 Y* t6 N: s7 }, ~3 A
Each time you'll meet this trick, you'll see:
' \/ H1 }8 p1 {) P6 g- W2 F-SI = 4647h1 _9 d: W8 k7 W- l( H5 ?
-DI = 4A4Dh% g; D2 X3 T7 l
Which are the 'magic values' used by SoftIce.
0 y, e. y' |0 `0 T/ t. K2 j( zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ M0 n# g2 Z7 p8 ?
. u. f Y8 ~4 b$ ]: hHere is one example from the file "Haspinst.exe" which is the dongle HASP
& D( j, ^* ~% N4 O* `6 o2 [1 DEnvelope utility use to protect DOS applications:
c4 \7 |4 M- j0 d p- z" i6 u0 z9 l2 a' D+ a
" _/ p2 r: }$ Y4 @1 z6 H) E$ g w9 b& Y4C19:0095 MOV AX,0911 ; execute command.
4 S9 `5 E( u6 m9 K' q( N4 J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 a) I% z$ O2 `: L/ w0 j4 o
4C19:009A MOV SI,4647 ; 1st magic value.2 t, r6 A* i' M: m' t! b
4C19:009D MOV DI,4A4D ; 2nd magic value.
& n1 U5 E$ B- M% G% r8 c/ J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, [0 S- V' x6 `0 Q5 M) w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# \1 P( Y$ M, p) @2 x& e
4C19:00A4 INC CX
6 p2 y/ o: `! w" r2 \* A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute Q7 N: Z% i( J5 A0 E* m6 j+ R0 ~% y
4C19:00A8 JB 0095 ; 6 different commands.
# [7 F ~9 B/ K; b% Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 D3 z3 f9 {1 j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# @7 h3 ?9 s% @9 \* J. a
4 o; J9 a, o5 |7 t$ mThe program will execute 6 different SIce commands located at ds:dx, which
2 Y4 Y% Y* `- v2 Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 x r3 Q" R$ I' o. R
/ x( e1 E* e' v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! M7 [# N' G+ x% W& _/ R
___________________________________________________________________________, g, [2 S! l+ b3 x
; D2 ^9 ^6 R+ J+ c- w. ^ [/ }0 G
Method 033 g$ v. r+ D; r* A
=========
1 Y4 s# O" p0 k% f& C* g# N+ ~. s" V W# s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& y8 j* ]; T, S3 x# W) {
(API Get entry point)
) o4 V& Y+ B- q1 V1 v
0 R4 }6 I: L; N% [) ^0 r
5 K; w0 k( S" n( |0 b( Y+ K xor di,di: X3 c. V8 x8 |/ D7 c. m$ I9 Y& G
mov es,di
6 ]0 j0 W: W6 L& _$ T mov ax, 1684h
4 t9 r# V: g+ I" d mov bx, 0202h ; VxD ID of winice
; S: p# ]% m# `9 m7 P, Y( b int 2Fh
& E- T2 @- `# f mov ax, es ; ES:DI -> VxD API entry point
. o z4 z+ e0 P2 x% O add ax, di' Y; I* e" f* l6 k" G) n
test ax,ax% @* v3 \" x! _
jnz SoftICE_Detected
, E8 J K2 K/ N6 T( Z- k6 \' O9 \0 r4 X% F
___________________________________________________________________________
7 p7 m" B5 I; R6 H, L* h7 ~- s, r( ]
Method 04" [) v8 ?4 F3 S, N; k
=========
# @& `0 u5 D$ E( B# U+ B
% D1 P# T9 O5 c- s9 ^Method identical to the preceding one except that it seeks the ID of SoftICE; a8 D0 X% N. y) O! Z$ ?; E3 E3 l
GFX VxD.
5 D, D2 T/ p' I9 A8 \. v
8 z) H: P* F; ?2 q xor di,di2 b* O; r# ?& v+ w# D
mov es,di
- _% U) ]1 t* O mov ax, 1684h 1 ?. V. ^: F) @) B) K. P) L, d* W
mov bx, 7a5Fh ; VxD ID of SIWVID" C4 N3 l5 F' W6 f7 w8 q" ]
int 2fh- M! z# ~- `3 D5 Y j
mov ax, es ; ES:DI -> VxD API entry point+ p7 z/ J0 ~" d& b0 l0 m
add ax, di6 z C" ]. W& i3 G& x/ z
test ax,ax
# ~1 A* Q4 k1 F# _, I jnz SoftICE_Detected' J; A. V/ d; \4 z
" E$ Q3 n) m; ]
__________________________________________________________________________
' y: |# i6 Y9 C' n* p- k2 ]" \( D5 V6 s# W
% `1 z3 V+ o6 [2 W8 FMethod 05+ P, Z4 z3 |1 k
=========( V Z* [: G3 o
6 @1 A0 S7 O' H5 W! ^Method seeking the 'magic number' 0F386h returned (in ax) by all system- L4 _) ~. m' d3 D" B) k
debugger. It calls the int 41h, function 4Fh.( d, R I- T0 n- w2 K; e
There are several alternatives.
3 X, K/ j5 \( v" U
9 h! w4 d+ S1 ?9 |# @ hThe following one is the simplest:
8 f+ m, \+ g0 k: Y3 o0 S: K
/ @% M) C) H8 ?9 F* R5 W5 b4 a mov ax,4fh
" y% z3 v$ W) X int 41h0 D( p& W& N; ~- @& O9 z
cmp ax, 0F3866 w/ M, h4 @$ G) I$ P
jz SoftICE_detected
; d' D4 n0 f; l) n. {+ T! X# h' b$ `8 K B: y q
& K: T3 E, r. @5 z# k7 C5 ^
Next method as well as the following one are 2 examples from Stone's
' ~, u3 E; O4 b y! @"stn-wid.zip" (www.cracking.net):4 t; k4 w+ C/ g
, w6 c" ]) p$ q( a( @4 d
mov bx, cs8 I* Q0 p9 o7 t. Q+ R; [
lea dx, int41handler2! ]; ~4 ]- W( y+ L1 k/ {. ^# t
xchg dx, es:[41h*4]: R! ^- S& s" ]4 Y' X% c
xchg bx, es:[41h*4+2] p/ W' K; s8 J( O3 G5 H$ H
mov ax,4fh
+ R1 Q* ?" J' n: [% v int 41h
( ?. R ], r2 F K xchg dx, es:[41h*4]) P9 O0 x: X# ]" T s O
xchg bx, es:[41h*4+2]
) L# f, T; h2 x' b, j6 B cmp ax, 0f386h
* T: p) a" B/ ~# {: z4 G8 d, u. H4 R' p9 q jz SoftICE_detected
8 Q* `6 l2 m0 I3 E8 Q7 C, J( W0 p+ R+ S& I& n2 G1 q5 a$ u: H" f
int41handler2 PROC* `* {) }& Q5 O7 c# @5 W- m
iret
" X% ~; h( R- \2 N, X$ hint41handler2 ENDP
; u6 a3 S% A% n1 x" g( X: c7 e8 n o3 Q! P
; z/ u- r1 w% z; k
_________________________________________________________________________
9 [7 ^3 t+ @' k0 w# [, n6 e# o6 ]2 v% ~8 j7 S4 {, V, D- I/ }
% p! z/ ?: q j) t! L: {Method 062 Y+ b) g- H2 w
=========, R$ _* O) ~$ h: |, I1 e
* u) z5 Z2 J6 b4 ^& C( F
5 K+ W7 u% a: r6 ~, V2 ?
2nd method similar to the preceding one but more difficult to detect:- K" j( n# c4 X/ c! q# q
$ l& o5 [/ B7 _. F0 I f9 X8 q8 U
* O/ B i0 }! q, j9 Tint41handler PROC) m5 \3 W- @& |% J
mov cl,al
# Z& v$ d7 ~2 k, r! w iret2 D5 s6 j' V$ F; h& w$ I! Y
int41handler ENDP$ ^. |4 u( M7 W, o- y
& j" K8 k: i7 q2 [( r: n( f+ h j
, r& b! C6 e2 B+ m& n2 t
xor ax,ax: ^4 e: p' o* b/ }( A2 m
mov es,ax
7 v# J; [1 }; h/ e4 a( w2 D mov bx, cs3 d( X. z3 V; k3 k* Q
lea dx, int41handler7 F% @/ A1 G" x8 a! G# S- _3 z
xchg dx, es:[41h*4]; c" K9 _* p# T) N% _; e% P
xchg bx, es:[41h*4+2]
G6 p5 `. g4 @! ~ in al, 40h
4 f s) H, S; C7 y F M) e xor cx,cx
# F2 B+ j: U& N6 F int 41h1 m4 z! g, C3 \* E- z( T3 v
xchg dx, es:[41h*4]
% m, F) U: r1 ]% }* w% P- G xchg bx, es:[41h*4+2]
?) d5 z( L3 P9 ]7 e6 c1 c8 I cmp cl,al
$ L+ q U# J3 v0 u9 q jnz SoftICE_detected- S* L; I: I8 W" H k4 Q* g* o
* g# ?! G9 ^+ @! {9 R_________________________________________________________________________
% z+ x+ p- x' }# c- A y+ Z% ^' o! v2 i( |$ y# M/ W. B$ L
Method 07 a8 t6 b* x8 W; z% K/ ~
=========
" z/ P- ~& O8 b% S! ~& N
7 S3 a4 {6 Q* l. sMethod of detection of the WinICE handler in the int68h (V86)8 o$ g' Z! E' K5 @; B4 I
0 B- x% n9 e# e
mov ah,43h
7 \6 E) U- z; Z( r8 O, t int 68h0 K; ^' q4 t$ K9 C* h( r" x" [
cmp ax,0F386h
8 R% ]% z$ A& J5 u3 T jz SoftICE_Detected! H/ R' Y& s" P3 P
- l1 ^0 y4 E1 t9 |/ H# L
( C8 d; W5 h2 U3 }( C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# S8 z$ s, Y/ d" _4 L& k: B app like this:
) {$ ]8 Q: o+ Q" F. W
2 y5 b; V f6 J9 a; k BPX exec_int if ax==685 E+ V7 t1 `* {% x
(function called is located at byte ptr [ebp+1Dh] and client eip is
! ?9 V/ H2 [1 [. n/ [+ a5 } located at [ebp+48h] for 32Bit apps)1 a& n; X+ h$ t! D* |5 x* O) d# Q
__________________________________________________________________________5 H# a$ S7 e1 N# g4 E: W, z* {6 {2 }
% B/ V. ]) ]6 E" q( C( H( R2 t. l% e' S( p4 s: G& j+ H2 g
Method 08* D( {* Y, x- k1 z# a" ^2 |0 ~
=========
& R0 [8 h* D% y9 j# s: I; q, E8 `9 Z+ U# U( l( _+ `
It is not a method of detection of SoftICE but a possibility to crash the% }8 b7 }! n6 x. A3 R- r
system by intercepting int 01h and int 03h and redirecting them to another" Y. ^% R X1 R9 Q
routine.
$ a$ \8 p6 N$ h' T4 K: n3 Q `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( D* S+ J. M% ?5 b6 z
to the new routine to execute (hangs computer...)2 y( C1 U- M; F; K9 c M# O
; F) a+ L+ C6 {/ e+ N
mov ah, 25h
$ Z- S1 L1 e0 P' ^ n% g R' _ mov al, Int_Number (01h or 03h)) b# o0 V5 ~! U3 v4 w0 |
mov dx, offset New_Int_Routine
. g0 N" R9 M: B8 s int 21h# L/ S9 h5 [0 }& o0 C5 J" V
- Y1 j7 }: q& e6 _: g" `9 L/ v__________________________________________________________________________
5 f( } J3 ~4 b. q: x1 T( @. `6 i- E9 p
- x1 L" {6 k) B0 v$ q# E6 LMethod 09% M5 H; }0 {+ R9 X' `5 z( Z4 i& I
=========2 w( O) y$ h& u Q, P7 l, V
" x& }( ^5 z# K8 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ v& S# l. q& P! E0 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).: q6 X* A6 T* ^( w( V; t
The Get_DDB service is used to determine whether or not a VxD is installed
: X m6 y& U7 P" ofor the specified device and returns a Device Description Block (in ecx) for- w, H& J/ O; o, I
that device if it is installed.
( p5 ]' A+ t! T1 M% b9 ]* y+ b6 d$ J9 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! D! h- u) t7 o& f* e0 d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( ~6 S* }( q, f1 N
VMMCall Get_DDB
8 y# j( a- _( H9 o% Y- D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- J; h2 K$ Q1 D T7 r" I/ B/ d2 f C, z7 m
Note as well that you can easily detect this method with SoftICE:
, y% S# z5 ~: v0 q bpx Get_DDB if ax==0202 || ax==7a5fh
, P, j0 L+ p4 T0 D# O8 I2 Q
; ?+ ?/ J' f$ {( K# ~ A1 g__________________________________________________________________________
/ L5 @* n% a) @/ I0 b; A& g5 E# F7 y: N. q
Method 10# ]! V8 i& d' H- g! C
=========9 A* B# J0 Z$ y G, @& w& i& y
& O5 z D* q+ R T=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 G7 k6 `1 n) @3 W& t SoftICE while the option is enable!!
" S6 ^1 J; n2 e: u% \& | f6 A/ e* Z- S8 q# I) V- p' J9 E. S5 F. Y
This trick is very efficient:5 g; w' ~ \/ f( _
by checking the Debug Registers, you can detect if SoftICE is loaded
& E" D" X: a5 c* p# Y& e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 h: M. ?4 _. `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 z! }, v* A. bvalue (in ring0 only). Values can be manipulated and or changed as well! v- a1 a) O9 y# C; I0 i
(clearing BPMs for instance)
5 C% P' w0 d+ p M6 @" _& V, {1 Y; H9 r
__________________________________________________________________________' G1 i; I5 v- J$ F0 C% P
, E7 A: x, Y5 q2 fMethod 11
) b$ W0 X8 u3 P% W, g. \. o=========
5 R- H# K5 U- Z0 }4 g8 Y; ^
2 A$ W% c+ f" ~; B/ lThis method is most known as 'MeltICE' because it has been freely distributed
! l% |+ c6 U+ w! d; Yvia www.winfiles.com. However it was first used by NuMega people to allow) Z& I& w' |4 ^8 v7 v
Symbol Loader to check if SoftICE was active or not (the code is located
0 l. Y, E- l# o8 e+ @2 \inside nmtrans.dll).5 v3 d, _* p; m- t
\# w: A C9 R$ R6 i8 ^2 C5 {The way it works is very simple:7 b5 G" T. E! W s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& P8 m$ I, u, ~) d& xWinNT) with the CreateFileA API.
; `) z! s, {2 @! f( I# L
1 V& l# ^! [# |Here is a sample (checking for 'SICE'):
" m$ S- ^. D* p( H7 B" Q0 \3 Q5 v2 P2 N$ f" z
BOOL IsSoftIce95Loaded()$ O. D4 V" B9 @+ ?9 O' P8 y
{
$ U4 q& ~6 [2 g HANDLE hFile;
' r, F4 e, D! ~0 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 n0 d3 f2 ]0 V8 j( N
FILE_SHARE_READ | FILE_SHARE_WRITE,
) z: R8 o+ v7 C: i& C0 I4 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 v1 `' m8 F1 w' L$ m+ [7 [' Y- M if( hFile != INVALID_HANDLE_VALUE )
! `5 G$ F: h$ [: p1 `: y {9 n% k! `: i4 Q9 M2 O4 K
CloseHandle(hFile);
* H. {" e# E# Z) N' F4 P3 a return TRUE;
) M& Y% _7 y. A }
9 T4 b* l( V1 ^. ?/ q. t) @- a return FALSE;
% H/ _- |: H! i7 I4 |" I! z}
4 V" }8 i! z9 p% J! o
" V" p, f7 O. f) rAlthough this trick calls the CreateFileA function, don't even expect to be
3 j, ?8 P" e: |$ G; r& Z+ H6 n9 x5 ]able to intercept it by installing a IFS hook: it will not work, no way!+ x8 a* H3 [3 Q/ s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; d% c. i' F3 a" x( d+ U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" I9 y3 u: A" Q9 {and then browse the DDB list until it find the VxD and its DDB_Control_Proc; f; {6 @# N( s$ s
field.
9 E' G( ^$ g" Q+ b( o0 nIn fact, its purpose is not to load/unload VxDs but only to send a
' r6 g9 c+ O' ` p0 E: [2 }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% H2 ^& Q" m: o( Y0 rto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 q; p# {' n$ E1 K+ C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 N/ a5 E3 X8 r6 y, J; d
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- C+ @1 I7 A+ b' J# B) a+ W+ K uits handle to be opened and then, will be detected.3 X( G; [" F! F8 _
You can check that simply by hooking Winice.exe control proc entry point9 U5 y9 L6 t6 r2 J
while running MeltICE.- m* l/ \' ?/ \7 x) y; N/ L M
8 N4 T. t# j9 y8 i
/ y; y3 J6 O# [* u" M 00401067: push 00402025 ; \\.\SICE+ g% m3 \7 Y/ l$ [
0040106C: call CreateFileA! N6 R- U6 S6 {- `
00401071: cmp eax,-001
$ A4 @! p1 O$ o. Z 00401074: je 00401091
+ f* z. Y* ?7 }+ |2 |- ?) u1 a# O# J4 `: Z2 b
9 E! E/ a: h; q3 R/ VThere could be hundreds of BPX you could use to detect this trick.# F: b( A* j# W
-The most classical one is:
" |; @2 H! q( S5 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ b/ l" Q L W
*(esp->4+4)=='NTIC'
6 c3 F) e0 o* A7 C) q% w5 h9 O8 F6 E; r8 `
-The most exotic ones (could be very slooooow :-(
p, x R5 \% ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 B8 {4 u% J% S; ^! M5 l
;will break 3 times :-(6 h# l$ d) v: [ J% e( g
1 q! F: s a/ d( Y2 `7 V-or (a bit) faster:
/ V" N0 L; |2 ~7 }9 \8 F4 ^& k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 _: ^& A2 B% W1 T$ |" \& R9 \& U. s7 e$ [5 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* n& S C! O x1 M9 _; A ;will break 3 times :-($ p. i) A1 u- N" b' H
: a6 T4 J- U$ H8 [-Much faster:. g' l3 S3 C5 i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: r/ ^5 T3 Z. H0 B. Y
1 g! K6 }: ^0 b0 w5 LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& E* c4 Z! }, E- g4 Ifunction to do the same job:
" x0 k* M$ x$ c C) w( v' [; Z' s
) R0 c7 k3 w( v: U push 00 ; OF_READ- C* n# |8 i% X' J7 S. K* y
mov eax,[00656634] ; '\\.\SICE',0
+ l2 I- e/ Y) P# L push eax
0 I( u3 ?" v% m+ g call KERNEL32!_lopen6 _1 P) z& h* o$ J7 w4 \
inc eax
; h* _) N% I. m: j' f* m; ]0 z/ h% x jnz 00650589 ; detected
4 j7 q' _7 @( w5 `% R) Q8 \ push 00 ; OF_READ+ @5 x7 J% D$ @
mov eax,[00656638] ; '\\.\SICE'
* h, E. j: i9 j! `$ v" p. f3 C2 P push eax; m7 D9 J C- Y" C
call KERNEL32!_lopen
% Z5 `2 x2 H' q4 }: v inc eax M' ^3 b% }1 ^7 x+ S' z$ n
jz 006505ae ; not detected, d; ~2 s- C: a: N. a* P) y: q/ B" t& a
: U2 j. O- m K- i e) O$ X
5 z! G9 N% K( w' O/ ?
__________________________________________________________________________
9 d5 S; ]# y Q2 C9 ?9 \/ I2 M7 n5 Z/ v3 S0 f- ~
Method 12
- t3 a" c! ^# u7 S$ m. j: N=========
. X# y% k7 e4 Q8 t
, n2 a3 p( K: B9 m9 kThis trick is similar to int41h/4fh Debugger installation check (code 05
^ s. u7 _& a, ?; H7 r) B* P- z& 06) but very limited because it's only available for Win95/98 (not NT); W) U! f4 ^+ \# y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# k* u9 C. [- v8 n. q9 s2 x
' a a) Y% `) @% o) [. p push 0000004fh ; function 4fh
# _# |" a$ m) W: ^3 Y& T push 002a002ah ; high word specifies which VxD (VWIN32)
# h B: w% p8 L5 ?6 h4 l' M ; low word specifies which service$ r6 r2 C, ]5 o* s. `: z
(VWIN32_Int41Dispatch) O% m) q3 u% Y- h0 q0 |
call Kernel32!ORD_001 ; VxdCall
7 |) p- { p% F5 y cmp ax, 0f386h ; magic number returned by system debuggers: a$ t0 l$ n$ }
jz SoftICE_detected
5 L# a9 t) ] E7 ]3 K- L8 w6 o1 |# x# z5 s- Q q0 B& u
Here again, several ways to detect it:7 J8 M2 m2 \3 w* P! W/ L0 h
$ a0 H+ R( m/ S! K" c; P7 M2 g BPINT 41 if ax==4f
9 t0 a3 T! \$ D1 \+ }
% _+ T( @( q5 x6 x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one e+ J9 G" t$ ]0 L3 U( Y# ]* k
4 n0 S# z7 Q' `" C5 `# _( i2 U1 n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ I2 T+ t/ G2 e. @
9 P& s* @( s2 Z. O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# N8 r9 ^2 Z! E+ x* e) }( y3 B4 n: p- c
__________________________________________________________________________6 c' J, \+ g# H
) K8 i' o7 t# f, o8 @5 R! O1 [6 J9 FMethod 138 m3 C) ^* G8 O& j
=========! Y2 l1 R! Z! o
& ]/ {$ l1 a4 S( W4 g$ dNot a real method of detection, but a good way to know if SoftICE is
; e6 z5 ~" t/ H8 X5 {. winstalled on a computer and to locate its installation directory.0 J/ g; l6 F9 c% o8 c
It is used by few softs which access the following registry keys (usually #2) :% Y5 h( W" K6 x9 x6 Q. T2 |9 y' b" w
% s' B0 e9 J% I4 [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' T1 G+ E- B- v; U& `. _ S' k3 R\Uninstall\SoftICE; l" u, e4 ^2 e/ \1 Q4 ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 Q9 I. s+ x' ~' v$ l( ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ p! _, I5 U' `( M9 }6 _+ n" C4 ~
\App Paths\Loader32.Exe( V# N# q3 J+ x+ S1 T J! {$ N
S( A% Y9 U* v$ Q* |: p
7 D5 n' q- e" A$ M
Note that some nasty apps could then erase all files from SoftICE directory
$ d: _7 u0 k9 y3 U* u/ T% Q(I faced that once :-(1 d/ P( M! p* u
+ @7 Y" }/ x: i% K# ]6 i
Useful breakpoint to detect it:
7 t+ X- ?% E4 W4 |$ G
+ S7 p. R# v# V4 d" v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ ~; h0 k+ s# P ?
( a4 r) A- i( D" O__________________________________________________________________________
9 |1 m: @, ?* A2 I$ d. ]' b) z
; L4 g: T' w) Q" j9 m( {Method 14
4 X* ~- b1 u* f=========% w; B- _6 d- W" L5 a) y! c
, \, ]/ e S3 K6 b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" \$ L- e9 b- g, ^! Lis to determines whether a debugger is running on your system (ring0 only).5 [- F7 D8 n3 k) e- Q" l; t! k3 Z
4 x" W' a0 s9 ?
VMMCall Test_Debug_Installed; J, `( P8 A; G2 H' d# Y
je not_installed& P4 |/ v) Y# v
4 d# M: `2 S, b& xThis service just checks a flag.5 w6 v- h4 P* U5 w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡