<TABLE width=500>3 \* }6 ^- v& `8 n+ X# B0 n
<TBODY>2 l5 x* n$ T N; h) a) q
<TR>
/ x( d5 S$ J1 z- K W<TD><PRE>Method 01
/ U4 h; Q! U9 p7 H* R' a$ A=========; W' |8 z1 I: ]5 D
! ?+ O" T# W) e/ H% ^This method of detection of SoftICE (as well as the following one) is
/ K6 k1 [# s! B! D! s1 tused by the majority of packers/encryptors found on Internet.
9 M9 B, {. l7 o1 s j; K4 j% wIt seeks the signature of BoundsChecker in SoftICE
0 E g/ |, }( O& f! b) ?' o! Z) c7 N. @
mov ebp, 04243484Bh ; 'BCHK'' y4 }1 r7 L) k
mov ax, 04h' e$ y" x" R% [' v; R7 @, }1 c# b
int 3 ; x: V) b i) y4 x
cmp al,4
" Q& Z9 c) H9 {; |& Z jnz SoftICE_Detected
) V) @! k' H' m% F
) U/ t2 m% u* i* r& [ ]& h___________________________________________________________________________* {1 U. x# U/ K/ E
) d' X [! y5 OMethod 02+ \' g- n9 H2 N S& a
=========
4 R1 w* S4 t9 H( W- O7 Z$ c" p: _2 G! I' c" @7 S
Still a method very much used (perhaps the most frequent one). It is used
5 {4 D# l$ Z8 w& b& c4 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. n+ ~ c9 l$ j2 k
or execute SoftICE commands...: Y5 L0 r; c" i8 i' w
It is also used to crash SoftICE and to force it to execute any commands
D* s& p5 I" A1 r2 m3 ]* V& A(HBOOT...) :-((
& c, e) |0 V& E& K% F2 K- b+ K5 v0 h* _. @7 }% j% F, J H
Here is a quick description:2 ^4 r; w" }# k: K
-AX = 0910h (Display string in SIce windows)
, C: X) T- b3 O: F5 i3 l: Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 `3 y' b: b% H1 }' }' r( v h; B2 G* k-AX = 0912h (Get breakpoint infos). C9 a5 A: S; E, ?! D
-AX = 0913h (Set Sice breakpoints)) O5 k8 E) |6 g/ ~+ X( b
-AX = 0914h (Remove SIce breakoints)
0 ]3 P0 V0 Q+ d" ~ w
3 O/ H1 { r9 h, U* ~! kEach time you'll meet this trick, you'll see:
. D9 a! P, K' q. Q-SI = 4647h& v- U0 @9 f! n# v; T; R
-DI = 4A4Dh
+ w# |* o, t& A3 r8 XWhich are the 'magic values' used by SoftIce.
* j! ]. f6 Z+ ?& ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" Z5 Y0 k+ N V+ ^
: A6 k, N' C* v- x+ Y5 gHere is one example from the file "Haspinst.exe" which is the dongle HASP7 g0 X' ~+ ~/ c# a5 S, `
Envelope utility use to protect DOS applications:
4 O; r( L- A/ j: l4 q7 V
2 g' S( [; W' E7 i7 {3 o8 I7 @: ?" q8 J) o
4C19:0095 MOV AX,0911 ; execute command.# G3 l' W2 T% r. T" H, ~; F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ |# L) W! K6 Z& o6 a
4C19:009A MOV SI,4647 ; 1st magic value.( s: U C/ G: G2 d; j
4C19:009D MOV DI,4A4D ; 2nd magic value.
" Q) ?$ V' j: S$ t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ Z3 c3 k/ h% a9 L( y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& U, {, W' a) C7 L, j, p3 O
4C19:00A4 INC CX
0 g5 N' P' |; t% B1 `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 J9 }! c% I/ [7 u. q) |" H8 c ~4C19:00A8 JB 0095 ; 6 different commands.$ B8 V7 L7 Z$ R/ _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& r$ J8 N5 }5 D# }6 g4 c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# J! u- e: b3 T: m v
; A- Q0 ~" C5 Y4 R4 V1 S
The program will execute 6 different SIce commands located at ds:dx, which- X" g5 v1 v C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 O( H( _: M0 a# F3 q, N3 \! S+ _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( [0 }$ \- m5 d j$ n___________________________________________________________________________
& }0 `5 j& \) r' W( \; u4 |8 V
; |& E4 T; D* {4 A' ?1 {. h
5 J: b- _0 u: W2 Z1 o0 \Method 03
; C9 W, }2 F. Q( V" p( ~; `6 }=========
' ]! W3 x/ {7 z# r2 X* d. z/ I# B$ a9 J$ e. |' W! h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, {4 i3 R* O( {8 v
(API Get entry point)
7 [# V" z$ a$ \6 t5 l# Q
$ w$ z, r8 ^0 M: w" N, u5 E
7 i& w+ g* |- \- C8 l) ], J. d; C xor di,di5 `& Q8 o" d' C/ Y
mov es,di3 U+ n3 f3 R- i
mov ax, 1684h ' E9 L; l8 ~; u6 u
mov bx, 0202h ; VxD ID of winice
$ Q. I. D: N5 t5 v1 w1 I! N int 2Fh
1 c9 b2 J0 `/ L: p mov ax, es ; ES:DI -> VxD API entry point$ J0 |* o- P( p V3 K
add ax, di
+ m/ M( d" F3 m+ d test ax,ax
. l. H' ^3 X6 [. g) y* w( t9 y& E jnz SoftICE_Detected
2 T: W# Z' p; E" U9 X3 \8 T: a4 P) |, G3 @4 l
___________________________________________________________________________
) {' A& W7 @ o; \; G' `: _6 J8 W! K; u. M' I( G; s6 b6 O7 [
Method 04
) g3 W! d; }+ y7 t [- k) a, m: ~=========
7 J4 a& a* F" D3 n3 f/ m2 L- z; ^" C3 ^+ y0 D/ B. w9 n g
Method identical to the preceding one except that it seeks the ID of SoftICE
; K: ]+ s5 }+ ? M5 `9 ^ hGFX VxD.
3 F; ~5 @( _6 g; c" _% H
3 k1 L/ t9 d$ Y$ F1 O xor di,di, M9 N& a1 z2 x
mov es,di
4 k$ X# G* k( h$ t O$ ?& R+ ?0 Y& I: L9 v mov ax, 1684h
, X, U* C3 A, U- A& u' l8 N" q mov bx, 7a5Fh ; VxD ID of SIWVID+ l- d1 |6 j! {5 M; v. @. p
int 2fh' A9 }6 V6 z7 @5 a* A9 \8 o
mov ax, es ; ES:DI -> VxD API entry point
" F4 q Z* N/ ]" G/ y( C add ax, di% c; z* _2 N6 X0 p
test ax,ax
# L/ m7 B- ]+ r8 K1 |5 U: t% w jnz SoftICE_Detected
2 E4 o' I7 J! O5 o# M) o2 T7 m* D" k4 H+ U
__________________________________________________________________________, {; ]* L/ i | D
1 u: ^/ ? m& \9 E1 U3 j
; i+ k( a1 t5 `* E4 D' I: J4 e
Method 05
3 m$ c# |( w( N G; S8 n========= h! \& M! T& G) j/ f0 H
p5 W/ B8 T' @' K1 u
Method seeking the 'magic number' 0F386h returned (in ax) by all system D* }$ n, f# A- R4 u' h
debugger. It calls the int 41h, function 4Fh.) K1 x( f: W. b
There are several alternatives. 2 m- A- l& @; Q2 Q" L5 K7 p
' h K% j" w- b4 `2 D2 sThe following one is the simplest:% C* d+ Q! X7 m M4 O) g
& {" i3 p0 H, D0 e* a- a4 M mov ax,4fh! w; X8 d( F/ _
int 41h
' } m% T$ c8 } cmp ax, 0F386
+ Z- b9 C. `9 s/ E jz SoftICE_detected
' N' X" Q" ]3 T1 K7 G* d9 ^7 b |: D: O$ e: _% z
8 H1 g" w( u# K: r
Next method as well as the following one are 2 examples from Stone's
# _/ H" g" k1 V3 f"stn-wid.zip" (www.cracking.net):
; n, w: w4 a/ y; ~( Y0 D |
' U3 ^! ~5 \( I. Y" C ]: r; P mov bx, cs
+ h+ i' j4 b/ x/ g& Y lea dx, int41handler2
5 U X' I; e: ?& q% M- \2 l) q xchg dx, es:[41h*4]
8 A$ h; ^4 Y* J$ s. M1 O, j xchg bx, es:[41h*4+2]
3 L. {; I' x/ @- e7 S# I mov ax,4fh
& k( k$ i0 o9 ^9 u, j% p7 F int 41h
% k; w! f' K4 o e" s$ w6 w xchg dx, es:[41h*4]' M2 \0 F9 ?, i: \- @. r
xchg bx, es:[41h*4+2]# Y9 n0 w. d; v: ~
cmp ax, 0f386h
# N* d* z8 B6 E( p" G" [ jz SoftICE_detected" O# N+ t; S" u( n: ^) a
+ Z' c( J% v! u2 j4 W4 hint41handler2 PROC
" ?' k; W! O, ^* N& i iret4 Q% u$ l% a" M: {( O
int41handler2 ENDP
5 } P4 I! Z& p" m2 J4 W7 s* r/ P; y/ z: t6 \' q% ?$ O, M
$ g& b$ X6 O, k& `_________________________________________________________________________
9 u/ g7 \0 K5 G, ^
; Y3 _% X& K/ d: l* n! E# |. b
4 \# }/ C9 s- m% }( F$ V4 S: rMethod 06
6 Y4 \0 x0 ^7 m. |( k6 i=========: d* I% J- R0 M5 w$ F9 X; _
+ }" p2 E4 F: ^ F# i
. {8 g$ o* H% Z6 `( O5 q2 A7 J
2nd method similar to the preceding one but more difficult to detect:$ b# c1 |3 ^( Y( H6 w
6 f+ C0 R) Q d2 [$ [* {
: L) \4 \! Q8 rint41handler PROC
9 z1 \+ L; h- Y I% f# @+ u6 o mov cl,al' f$ {4 Q b0 z+ }3 t! B% }
iret7 ]* S2 ]. f0 F
int41handler ENDP
; \8 a- h- f- S' B" S. T9 V* P0 \; l1 z! o* L9 A# M0 z2 J
- X6 a1 a, W3 [7 H, J
xor ax,ax, l4 g* ?! F% @
mov es,ax
- `& V9 V1 B; |% ~7 P mov bx, cs( m# n' g% ~& t) C' Y7 f2 T: h5 a
lea dx, int41handler
! o, ^# ]0 q @# I/ e& `% w: @ xchg dx, es:[41h*4]( w2 s2 D- c# |$ w6 y' k
xchg bx, es:[41h*4+2]
5 {4 }- a+ D1 [/ R1 q8 y in al, 40h4 M U; n" U$ e7 a6 `
xor cx,cx
( ?; y& g6 L6 a int 41h! Q( W% R; i" o7 B) E
xchg dx, es:[41h*4]
U$ a2 \$ H, i0 n: R0 F. D xchg bx, es:[41h*4+2]
. `% V" h9 Z9 @; c! o( v' A+ \ cmp cl,al
1 n+ n7 Q4 M6 Z. K( b% j7 @4 X5 a jnz SoftICE_detected. G. e9 j; r( ]+ K; I2 W4 Y
6 f0 S% R# R& g9 n! ]8 b, k; Y% [
_________________________________________________________________________
( j. W0 B4 f8 \* a/ z9 W5 A4 c. V0 z" n9 n* `* T
Method 07
: \5 s; D7 c3 y/ x |=========! ?4 Z' h' O+ k+ j! @ V0 U
; _1 f) a9 s. _" A8 @8 G Y8 ^
Method of detection of the WinICE handler in the int68h (V86)
( v8 }0 k* ]! w P2 i2 Y
* I; r% R+ k# e5 w$ S; H" s mov ah,43h
' L. V2 U1 U r7 _/ q! C int 68h! |5 i$ ?: z9 S3 d. D$ `* l
cmp ax,0F386h/ N5 ~ E+ _9 {: ~! {& O- p
jz SoftICE_Detected- f( ?0 Y: y+ V7 G3 o
, x& U+ t4 j; }# u& z
- g/ O m' m1 ~) d: N2 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. `. l" c7 [) N
app like this:
) A. K( H7 T6 T( {' ], Z
: \) l# J" S) E! k6 ?1 l BPX exec_int if ax==68' H; m; J# v; @0 Y
(function called is located at byte ptr [ebp+1Dh] and client eip is) f! U# }/ S9 ^: h+ r
located at [ebp+48h] for 32Bit apps)
( Q2 v- j- F m7 K- N o__________________________________________________________________________
, w' U7 ~& H" B: J' H
( Q' y- x7 Q, M/ O O
) d. P$ F! ^* f; Z/ b/ ]Method 08
6 u6 v% O* C8 _+ m2 u0 r=========
9 u x! _ o! M% c- f* N6 `% R& [+ x$ k0 z9 t7 t
It is not a method of detection of SoftICE but a possibility to crash the
. B; u/ Y- w. e& _, }" hsystem by intercepting int 01h and int 03h and redirecting them to another
# r/ x; F; v, T& w* r/ wroutine.5 H+ \0 h" O9 `" C+ H0 K) G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 s1 J1 B; y7 S" k: a* Zto the new routine to execute (hangs computer...)
; A% p3 A$ t! Y6 e) ] h: A( O& D1 t; m2 }6 W6 u* r
mov ah, 25h8 w) b5 z5 [9 X. `* A
mov al, Int_Number (01h or 03h)' {% u4 J0 E6 ]8 s5 \$ s: \
mov dx, offset New_Int_Routine, B( Y; v8 u! [6 K& T% F, v
int 21h9 Q4 `- s) w) l( s7 X& T
; ?, c) \4 \4 w' n__________________________________________________________________________+ Y( d& y6 x$ W' l
7 {- E" ?7 f0 n* {Method 098 i' h# P0 N1 |: J% D
=========
" G: l& l3 t+ p& \5 _, F
, C* O( z( n; E, Y0 @7 aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. N- `% e' O; d* X
performed in ring0 (VxD or a ring3 app using the VxdCall).! I1 y* |: f2 d6 {: T* R6 I/ K7 j
The Get_DDB service is used to determine whether or not a VxD is installed
' y- S1 S. V) j! h' V# mfor the specified device and returns a Device Description Block (in ecx) for
6 p9 Q8 f- U' g+ Vthat device if it is installed.
+ \4 W" D9 k% ]- e+ ]: \9 V
J9 }1 y: m9 Z" ^7 T8 m* ?% U. \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- \% B; A8 [1 U3 |' f: W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) \/ A( X5 D; @* x9 l+ i- t: L- t
VMMCall Get_DDB/ `- T9 U S& c. j4 A9 m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ _# t: z$ u& z0 L4 a' z6 @; B7 c" d
Note as well that you can easily detect this method with SoftICE:
( h, z; Q: r8 F' ]4 q# U* e bpx Get_DDB if ax==0202 || ax==7a5fh
) ~: z8 ]6 W; S9 k# b. ]& a |# r7 x4 _2 z. `
__________________________________________________________________________
9 f- q+ `7 i5 _' E4 v: f: c2 u" C
Method 10 x$ X7 Z+ a1 k+ i/ x$ ?
=========
7 C/ k* h$ V) @. X( e: } b1 t7 ~+ V- K% ^% W
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 M* E* Y% k2 V1 X* ]' D- a1 w. T1 N SoftICE while the option is enable!!' {7 n* P F/ v2 [# Y8 E5 x0 Z
% n: F, V! _) P9 }* W/ x( A2 RThis trick is very efficient:0 [4 s1 |8 K- E& \- e8 H$ L
by checking the Debug Registers, you can detect if SoftICE is loaded
- p" `5 c0 k- U- g7 A2 Q9 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& Q/ M" p% t1 I3 Y. o0 U$ Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their# w) z1 c! e1 g0 L
value (in ring0 only). Values can be manipulated and or changed as well9 g, p. n+ t9 u$ T0 C; Y5 r; @
(clearing BPMs for instance)
6 R+ s) c7 {* [
4 g% K* f8 N: U4 C__________________________________________________________________________
% I4 q- s- V4 e e
$ M @: E5 \" d$ T, Z- N y4 UMethod 11
4 {# t o! O: }5 z- R=========! N! j+ W1 y" |$ f4 y, L
4 y0 O& H8 R) G5 ]# q) f
This method is most known as 'MeltICE' because it has been freely distributed& W* D% |# i$ }7 |* l3 J
via www.winfiles.com. However it was first used by NuMega people to allow# D- ~8 R2 q, f& p( k
Symbol Loader to check if SoftICE was active or not (the code is located
# I O ~, v/ I8 D- N8 o" j+ d( winside nmtrans.dll).5 W" ~8 j" }8 R
2 r }+ ?, m/ W# a' AThe way it works is very simple:
5 c e- J8 p7 j/ jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 H1 j J9 ^7 _& j% w' iWinNT) with the CreateFileA API.
3 h$ ~; h+ s. k4 u" \# k8 g% \
! ^6 u1 P k6 Q0 t6 OHere is a sample (checking for 'SICE'):
9 V% e; B! z! C+ l
( K P* |# d# a. o, m) H8 g2 {) fBOOL IsSoftIce95Loaded()
9 w c: g; O& x" c! M{
9 ^1 {6 q! f) K' i6 E HANDLE hFile; ) x5 \6 M& h) F0 ~$ @" W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 Y' P# ^# O& Q4 ^) i1 O, D4 e
FILE_SHARE_READ | FILE_SHARE_WRITE,2 j% k/ A' [& x: T/ Z1 s0 [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 S" E' z- u0 [& ~, Y6 a0 B8 T
if( hFile != INVALID_HANDLE_VALUE )0 Z8 k6 R, p; t2 b; E6 @) ]
{
, J+ H6 G9 t6 z# D" V3 C3 } CloseHandle(hFile);6 e0 W" h( `# G
return TRUE;, I, M" h- y! p$ Z
}6 f0 G$ {/ m0 ?. H4 @. E5 j# y
return FALSE;
' H: |1 |0 V* F t' I3 v}
8 u$ z" u; b1 F0 k; j2 Z7 M! N' V6 @0 H) {0 E1 i; M
Although this trick calls the CreateFileA function, don't even expect to be: V! S) b# J) W6 u: r
able to intercept it by installing a IFS hook: it will not work, no way!. O5 h+ o, i9 z( O4 K |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% N3 e8 f( [6 \2 t+ v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ a2 f3 j% s- O0 \ T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 ~- ^2 ^& r, _, t, \# Y* F8 S
field.
( S% y& s0 v* x1 @ {In fact, its purpose is not to load/unload VxDs but only to send a
8 `7 g/ p8 w* t4 D9 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 g0 N- E: x! N! O; C7 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try& r+ v1 ]. Y3 W# X$ O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- x' m; }& E x7 G0 B2 j$ C5 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 w6 r) R9 E2 t' G5 x4 A ~! l$ N
its handle to be opened and then, will be detected., {) @( z4 w5 r6 A
You can check that simply by hooking Winice.exe control proc entry point
1 T. y5 t7 T5 Xwhile running MeltICE.
: |' K- g4 P7 J ?* u9 x. e( q
: i: D6 @3 @8 W2 H 00401067: push 00402025 ; \\.\SICE" L' U% G" X* s0 S6 u
0040106C: call CreateFileA
& ]5 E6 f& Y/ ]# R" D3 N6 D0 S 00401071: cmp eax,-001
% @1 D7 J5 F7 G7 O0 { 00401074: je 00401091; z) u" ~% |2 y$ m" u C( e$ f2 G6 z9 ^
t* }% T# r/ S, B2 ~# W f
P. A& a: r3 d1 N1 ~There could be hundreds of BPX you could use to detect this trick.
8 |+ W; `: m' `0 k4 P- k( E-The most classical one is:. Y$ [& V0 _* |3 q: A7 j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: k& P" f$ m6 K8 S( N; W+ @ *(esp->4+4)=='NTIC'
7 }; w5 F3 P4 K5 V/ z6 u" F1 L+ v8 v; z0 N1 e
-The most exotic ones (could be very slooooow :-(
) C! D2 Z, q1 i+ S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ o/ O4 Q& t4 g5 F! O; Z- y1 b8 u ;will break 3 times :-(
+ M% A" v" |$ ~% _& T, X9 A% S6 N. \1 \* `% N
-or (a bit) faster:
0 P0 T$ p0 p. `8 J/ X* Z' Y9 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); c0 n4 F0 U7 p
8 S2 F1 W! @& T' d- k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ J4 L4 Q7 f" ]" ^# d ;will break 3 times :-(
9 W2 ^; F" U4 `- a0 }
( w. l9 D! S, W _, k8 |* X-Much faster:! w% [# }0 o! L6 D! F5 e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ k& q) E, L: a1 t e5 T6 T8 `7 w
+ S+ l2 I: c- kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: n) y+ e0 }0 ~6 Qfunction to do the same job:3 u$ b" m3 E9 M2 X- C
% w# _9 \4 d G5 _/ C: o push 00 ; OF_READ
4 u, `6 Y3 q* E1 u9 j mov eax,[00656634] ; '\\.\SICE',0: m! a8 i6 R/ k, [ x
push eax }) i. t* H. I" s) p: M6 S
call KERNEL32!_lopen" D4 `! D/ |5 |5 {5 ?- ^% }
inc eax
& z$ [, Y2 R. g" ^ jnz 00650589 ; detected
! Z: u5 k q4 e* e/ Z push 00 ; OF_READ
* P' M2 A$ e+ w9 F2 {( T mov eax,[00656638] ; '\\.\SICE'
. Y) b. d$ r- o6 a% d& }! N0 y1 X push eax5 {) U# o2 o; m6 F3 d. a7 |; ^, ~/ I
call KERNEL32!_lopen/ X2 ]( w+ ?5 D$ W- g
inc eax4 J# G6 e* V* q0 w6 J
jz 006505ae ; not detected* i8 g) P# X) s7 s3 h4 B8 t+ w# s4 A
( R2 S* a; a* f4 v
# w% n& j8 h' T) m__________________________________________________________________________0 j+ D$ I$ e$ T, l5 c* e
9 S0 \+ `3 z8 F0 g1 l' v4 zMethod 120 n8 J+ N, Y' U) Q
=========* b& J2 I8 s+ ~7 f
; P6 }" b) i% i y# t* t8 E- b% }! V I# d
This trick is similar to int41h/4fh Debugger installation check (code 05- V: n0 Y) i3 R, E! T
& 06) but very limited because it's only available for Win95/98 (not NT)
5 y. K4 {4 m& \/ l6 Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* o' x( T8 k% R, J. @, n+ c
( \- L/ c# U+ K push 0000004fh ; function 4fh" i& w) {% O" A4 l' O
push 002a002ah ; high word specifies which VxD (VWIN32)) u0 w- N: {! m3 E
; low word specifies which service+ N4 p Q) ?* F
(VWIN32_Int41Dispatch)+ P6 e* m b+ C+ A8 X5 l$ s
call Kernel32!ORD_001 ; VxdCall
. j. J! e& C+ I) g7 R cmp ax, 0f386h ; magic number returned by system debuggers' q, g7 }. U: {! M" S1 R% T
jz SoftICE_detected" ^" [( B& D. ^9 l* l9 D
; J* c3 \1 t" M2 y& l6 THere again, several ways to detect it:# @7 g, x. G9 N8 e8 P ]# h
4 n, F# R) ]0 q9 O; b# t
BPINT 41 if ax==4f
. u" o+ f/ l- I' ~9 k: G' [6 S! u& j5 S: h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
e# ]5 I% u/ m# q. n
2 y' a% @3 ]3 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 t* K! f8 O3 u) ?& a
* |, Y9 r: h' i! [6 m' k/ Z7 @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 p' ~. O9 v, R6 K8 g6 `) m! S) }3 D: ` v6 r! E: V
__________________________________________________________________________
' y6 A. t8 z# z
* L: h; p4 c; q3 aMethod 13' j# z& e' v8 Q) b- t
=========6 M$ G0 w) T& c8 Z
% J; W6 N, N7 p% o9 @
Not a real method of detection, but a good way to know if SoftICE is
7 Y- W; _3 i; v& d( Ninstalled on a computer and to locate its installation directory.' f5 b8 B0 o9 X4 c0 a: \, b
It is used by few softs which access the following registry keys (usually #2) :; w# Z d! H3 K, c
% l: [# e T0 t( {: |& A+ l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 o! H4 e O4 w
\Uninstall\SoftICE
+ H& Y6 G: B9 o5 o* L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 Y' ]/ p4 A6 O: y7 N' U& R' O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ J: r; a1 ]: v( D3 W\App Paths\Loader32.Exe$ W P7 o/ W$ a+ f
0 {7 [0 Y/ K9 d0 B7 @. X% H# |4 V' K* v$ M- d5 ]
Note that some nasty apps could then erase all files from SoftICE directory" M6 W9 R( j; F" w4 F7 s0 R
(I faced that once :-(
) T9 a2 u; [' j7 m' @. m+ g7 M9 l1 Q& A3 a6 {3 H1 e0 S
Useful breakpoint to detect it: B+ m o4 y2 A, h
$ }9 Q- s" P- v4 _4 a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') V% v/ M* V5 Z
' z( |' y U f2 I- I" T__________________________________________________________________________
! N6 u& }. E4 X! S. h( f+ Z* U$ \$ H$ s- p- {8 p. H
! L6 O7 q! B4 o" A# {' D. {/ R1 p- X* CMethod 14 % f% n: n6 Q* W& @1 {. v9 r5 n. ^
=========
- r( i$ i- ^0 \) d4 a" M, v; Z1 W( q1 l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ q' ]+ B2 \1 J
is to determines whether a debugger is running on your system (ring0 only).5 R( ?* k& j$ W# y5 r
4 c v( w* E+ O2 }# d6 l+ R& m B
VMMCall Test_Debug_Installed0 e$ @% f5 |& ~6 f( g
je not_installed/ m7 J3 E) R, s# _
- J% e, h7 C' P( z( H- h1 }% N& m
This service just checks a flag.
8 z' B" u: T+ q% g5 d9 C5 ?* z+ D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡