<TABLE width=500>
% y1 A" B, {) S3 H Z' O<TBODY>
+ i8 v2 ~: l1 e* A4 T, W5 _/ {9 T<TR>/ s$ M9 {. j* e" }5 x
<TD><PRE>Method 01
: u* A* G, s0 A/ Q" L2 A3 z' v=========
9 T7 U. ]/ d+ b$ K0 _9 v |3 M8 @3 Z! Q$ y8 D) y
This method of detection of SoftICE (as well as the following one) is9 a2 p* U* l3 j; m2 @5 x
used by the majority of packers/encryptors found on Internet.
. S0 c" W; t" }+ {7 q0 EIt seeks the signature of BoundsChecker in SoftICE
- Q8 j J8 |, w. e* k3 o; r
; _! f! \/ _! ] mov ebp, 04243484Bh ; 'BCHK'8 b' N' l$ t9 A4 v
mov ax, 04h
: k% v3 t- k. u3 v- [ i int 3
. O6 ]6 ~8 j* Z5 V: \3 ] cmp al,44 d) i/ P2 }, q1 R# A& \9 N; k% v5 ~) s: ~
jnz SoftICE_Detected* q! K( w7 l9 d @$ }
* |4 n, G7 S/ m! o1 _/ `$ n
___________________________________________________________________________
. t& i( ~" W2 U+ J! ^9 S M9 [- A/ ^. _. j9 w8 W5 E7 I
Method 022 V& V( H) h3 E. M0 a" o6 G
=========: w+ x8 g7 ~$ N; k: i( ]
b) [4 i. u! N* Z
Still a method very much used (perhaps the most frequent one). It is used) m/ E* c/ V( ^9 t0 F3 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! [ |' O8 \7 o. `or execute SoftICE commands...8 H; u; O4 M$ f [, O
It is also used to crash SoftICE and to force it to execute any commands% |6 x- S2 Q) p$ w2 ]
(HBOOT...) :-(( ' f5 P1 M* k+ |: _
6 T! t1 S' |4 f7 |
Here is a quick description:" R7 W0 u. o' D( c
-AX = 0910h (Display string in SIce windows)2 } q. R3 T# n1 A% ^6 E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) n0 f% @- [ I3 R# s
-AX = 0912h (Get breakpoint infos)3 h" j- E6 j& I z' h
-AX = 0913h (Set Sice breakpoints)
0 F0 k6 M. S/ ~9 `$ N-AX = 0914h (Remove SIce breakoints)
! {2 a e. ~. \
3 d9 y: J3 s' k* w- \" ~( T YEach time you'll meet this trick, you'll see:
- e: Y+ R% P' |" g9 A2 _ _-SI = 4647h
3 }( ?$ g4 R; @" \4 G-DI = 4A4Dh5 ^. ~! y1 M9 x
Which are the 'magic values' used by SoftIce.2 p! J6 u7 U6 a& |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& T7 V: V0 q2 O+ [( k4 U% m
7 K. F: u8 T9 c& UHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 }! }' @- s* H5 r! ^Envelope utility use to protect DOS applications:- B7 Q$ c$ |, }! H& q$ ?
- c) I& @! P0 V% A$ }( a: Y7 m' x; D0 m1 n, H: k
4C19:0095 MOV AX,0911 ; execute command.! P2 h6 W5 c. j _$ A( m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 g1 D1 |' D% ` ]
4C19:009A MOV SI,4647 ; 1st magic value.
8 K8 Q+ Y+ x) T# R/ h4C19:009D MOV DI,4A4D ; 2nd magic value.
) K/ w- Q& D9 g# [4 u2 S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 [' y) v: J# s: r x& j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 d- D9 k; j/ C+ J9 j5 @/ ~" Q
4C19:00A4 INC CX b* q, I) {0 ^- d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, P( }9 e& S- {
4C19:00A8 JB 0095 ; 6 different commands.
, q0 Q! [! p: ?4 ?5 K" y. y4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 \9 X: U4 C3 g4 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ N# a/ n7 n' @/ c F! r8 Z2 \- H+ q$ r7 Z" A$ \
The program will execute 6 different SIce commands located at ds:dx, which. k6 K, z! N+ l* R! y8 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 z/ z# s, Z0 k4 a% J4 N7 x! `) P* S
' w/ g( _ D- {" F1 V# c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 C; Y. n, J' g; t0 _1 a2 m$ {
___________________________________________________________________________2 B: ~# z3 H ~2 S4 u
" S& a7 |; _* [, L, y7 M
+ l( T# d9 |' kMethod 03
t3 i! L2 q5 i: Z% x& K=========% j/ v! d+ R! u# x# {$ x1 J, K& Z# y' ~
9 Q3 a v( i# x+ y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" R" N4 h' g# ]1 I3 k+ G(API Get entry point)( o' |0 N+ M" E
4 h n2 a- S, Y5 e' e! n* n
+ J! [0 F3 j* P; ]- R! @ xor di,di5 q2 }2 R0 w0 z5 T: E
mov es,di
: J f, |7 r6 ]3 r) S7 v" s mov ax, 1684h ! h% u# r; r# n. ^6 \) \
mov bx, 0202h ; VxD ID of winice& |* y, {; [0 w: c1 {0 g+ @7 O
int 2Fh8 }# P! K2 I5 @
mov ax, es ; ES:DI -> VxD API entry point
# ]) j& M) j5 i1 V. P$ N. c add ax, di
6 e% Z1 n8 E/ f test ax,ax* S9 x5 ^$ @' Q1 |6 {" R7 U
jnz SoftICE_Detected
4 i# F A# y4 ^/ p4 L4 j
% W" H( x y3 }/ G, q___________________________________________________________________________
/ _9 d! D7 A: E' ^0 _# p' L2 y
- B+ \/ F- j/ \" u$ M; pMethod 04! e8 `' x4 T( a3 l! ?
=========; N3 F! z* |; C0 O B- r
1 m; m" u1 _/ \6 Z( a4 OMethod identical to the preceding one except that it seeks the ID of SoftICE
" [* H ?' a% W; NGFX VxD.
! R& v( C0 f( N
1 Y/ F- C! j. o/ I5 q xor di,di
+ ]% n+ r( `, v) H: P. L/ w5 ]! ~ mov es,di
4 [3 H) \( [) c( F& {" V mov ax, 1684h
5 \% w5 q4 v' N6 N* u- Y* g mov bx, 7a5Fh ; VxD ID of SIWVID
0 P: Y( y/ b( ]3 J int 2fh
. B+ q# o4 s2 _* A mov ax, es ; ES:DI -> VxD API entry point
- Z5 V" M% c1 w) U/ G add ax, di5 { D1 O; c8 U4 v# D& [
test ax,ax
* k9 @+ A! R1 O jnz SoftICE_Detected! n$ k6 s' S" K3 x9 A
1 C0 r, ?1 \6 e6 B5 H3 Z4 Z/ V! y__________________________________________________________________________
5 x3 d2 h3 I s$ w4 F0 Y/ y' X+ S1 P" @' O' b5 C( M4 b
& ?% J9 C9 h: k
Method 05* h- s, w+ G) x! j b" d
=========
8 p7 V3 j! @/ F' l9 J6 i( N U
# O7 [$ O0 x6 a, X. P2 L/ TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: s% H7 A5 `4 Qdebugger. It calls the int 41h, function 4Fh.
( n* Q4 u! ?$ @- }+ c0 gThere are several alternatives.
( [' q2 |) \; C: S8 ]
) C8 R$ x! g2 _4 l3 ]6 f9 A! zThe following one is the simplest:7 |# n( A+ a, p5 J$ S
; V: p: o5 |5 ]+ g mov ax,4fh4 N& M; r" l7 o& Y8 k/ T X3 [; P
int 41h# x* U9 P2 m% x2 p0 f8 @
cmp ax, 0F386' S M# \$ j1 t) ]5 _
jz SoftICE_detected* b& U5 m6 F+ x" e2 ~- a9 n* \
- j- V) F5 E& K$ c" B2 W! z
- Y8 m# h0 l% t3 [/ c7 qNext method as well as the following one are 2 examples from Stone's
: A' r q5 {7 [+ R% x5 e1 v& U"stn-wid.zip" (www.cracking.net):
8 v7 g9 ]$ g2 U% R8 U: m2 F# u" H E! E# _5 f) n: T' z
mov bx, cs- _* s6 |9 A9 F, f
lea dx, int41handler2
# Z2 L: h9 o9 y0 B8 s& s xchg dx, es:[41h*4]$ |/ J5 Y# r/ z
xchg bx, es:[41h*4+2]
- f: ]' `- e; |' O mov ax,4fh
2 s% G9 {+ v* M9 |& f1 U int 41h7 S# c8 R: r0 G9 E$ ]
xchg dx, es:[41h*4]5 Q F# N$ A' A4 h u: }. y2 E+ X" j2 Y F
xchg bx, es:[41h*4+2]5 `' ^. _: `- ? F0 \( q P& Q
cmp ax, 0f386h0 {+ b3 N; z3 A P4 }5 O
jz SoftICE_detected
9 {# K! \* A% `+ J4 H" B) E2 h3 @) P, ]7 a f( v
int41handler2 PROC a8 e$ ?: F4 P# W
iret
: Y' q }9 g d. U3 ? V1 W4 Fint41handler2 ENDP$ o7 Z3 u$ m$ R/ |/ H
Z: z! H0 B3 R6 a3 `7 f
: A0 O: T7 K5 Z( W; q) o$ v$ q0 L_________________________________________________________________________
( O3 @' S2 p* A! `: Z* t- r. B9 {+ h: N) S4 e/ s- v. F' e
: B- P$ \' g8 V8 `
Method 06
1 O% A }( A: c( Q=========
2 u) L: L4 H1 Q! \; h D. A% r: @: ?, d
6 K: y/ }* ^1 \; Y% y" \ N* i, K, X
2nd method similar to the preceding one but more difficult to detect:* V( T% m- J& _4 {0 l8 r
2 e5 u# g: a: I5 d$ f
2 p7 T: D/ X" w# X7 Iint41handler PROC: j8 l6 A) }) C0 J
mov cl,al
7 T$ A( m& J4 ?% J0 G6 M5 G3 L$ i! ?$ T iret1 y! R$ A' z& S t, G/ F/ t
int41handler ENDP
. a9 I1 R: m( k8 `
7 d9 X+ s( u0 `5 X* G3 D. k
1 Y' N' {( J( S- e9 U xor ax,ax6 l" B+ t9 H$ n, w
mov es,ax5 J( \0 L- Y. @8 |5 m! L
mov bx, cs* n% r! B* h4 K: e+ k7 J
lea dx, int41handler
8 ~# R- l2 b) z1 q7 p9 J- ^ xchg dx, es:[41h*4]: ~8 K; Y: U1 T7 Q5 T( r
xchg bx, es:[41h*4+2]7 }7 H7 S- H- n2 j6 j
in al, 40h
" Q/ Y4 H$ n4 P0 n1 }. P0 V. K xor cx,cx
! _" i9 r1 R; O int 41h7 M+ q4 m6 u, t
xchg dx, es:[41h*4]: x: G" t9 { {3 N v$ }
xchg bx, es:[41h*4+2]+ C: u1 q1 H0 [% r) @
cmp cl,al
: a! x$ V& v' {) x jnz SoftICE_detected
( w2 n" @& X: ?+ F. b- s% y4 l. u
_________________________________________________________________________
, M2 b" Z) F5 Z6 h# i2 I }0 ^; w* O) F6 v
Method 07
5 H V4 M4 N V) _# x=========
+ Z" v h j' d7 B; I) @; W: d" ]8 R% K, W7 P
Method of detection of the WinICE handler in the int68h (V86)8 l# \# j' c8 J. z' h6 m
9 o$ o: W$ W! ]4 I7 y- ^) _
mov ah,43h) K! J' g6 V6 m( N5 p9 M" Q
int 68h
9 d* e% _$ M" f0 i* C cmp ax,0F386h
4 N8 h4 d& p/ u( G. E- g+ ] jz SoftICE_Detected- I* [+ N9 `, G1 {/ I
1 o( n7 p( R' i. [6 f; f5 G. J5 V3 f( b- ~3 q7 z$ |' {$ P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% F8 Q' l/ w9 @! m: Z* F app like this:
" v C2 V) E, D" l2 u9 \0 F) D( f7 ?" H" `2 @
BPX exec_int if ax==68
( @9 Y* w" G8 v (function called is located at byte ptr [ebp+1Dh] and client eip is
+ a+ l# l, m/ h' r4 a located at [ebp+48h] for 32Bit apps)+ `# A8 |( S3 Y% P, U0 i
__________________________________________________________________________, F) P+ x. p* v- N/ c
& Z F5 H9 @. F, H0 f1 C# L P1 c& d' W
Method 08$ N1 [+ J9 l8 ~) _' Y( {/ J
=========
7 u$ W# ` k3 `9 _* R; M* ?, R7 U) j/ |
It is not a method of detection of SoftICE but a possibility to crash the
5 Y+ C) Q+ {! Esystem by intercepting int 01h and int 03h and redirecting them to another2 F, q1 \" W" \+ D3 a C7 d- i
routine., r2 F; B& _! Y/ p9 a1 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* r: z: n( T: Z3 t9 Z
to the new routine to execute (hangs computer...). ~; A6 M+ x: \* x, q# @
# V' _1 q6 C/ } m3 b7 U# p* S: }
mov ah, 25h
& K) B3 {1 }) T mov al, Int_Number (01h or 03h)$ P% S9 ~$ ?! l. J8 l
mov dx, offset New_Int_Routine4 c2 g( P+ O4 ^1 N
int 21h
1 a) o6 k( T9 x$ Z6 `+ V1 g9 D1 a/ J' H) R1 N
__________________________________________________________________________
( p# h, T2 c4 ?9 W4 @+ f
2 Y3 e& |+ B A3 G4 VMethod 09* |5 t0 U( c- r2 L# k! M. K
=========
1 t k' H, L% h [: u! f. t6 `; x8 J5 n+ p$ r7 q8 X1 K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. V, f! [/ D! J' Y. Y$ gperformed in ring0 (VxD or a ring3 app using the VxdCall).: j" [; Y, j7 U7 j( d+ r
The Get_DDB service is used to determine whether or not a VxD is installed& J9 F3 }* {' m1 U" d" M3 V
for the specified device and returns a Device Description Block (in ecx) for% s0 _# B; b+ T4 _0 E4 B
that device if it is installed.
" a+ @$ p; I& R: u" A+ W+ g. h) ~( C9 x% J8 F' o, ^7 p: a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Q& L/ ]' t* c' A. L/ S) I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 g9 j7 X6 a: }" ~8 J: J- h! E8 b% ^* Q
VMMCall Get_DDB
% p& y$ w1 b! W4 s$ U: H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! t9 t/ e2 g) E3 O. l9 Z- s6 v4 G( Q3 ~! J; L! E! o
Note as well that you can easily detect this method with SoftICE:
+ y/ A4 {& p" u, W0 J& @ bpx Get_DDB if ax==0202 || ax==7a5fh9 R1 b. @4 p' H% ^0 M& ^5 Q$ _. V
7 x" E6 }9 P6 b/ x, m* o
__________________________________________________________________________6 G; ]* \' _, j
% C: I: F7 p S. q8 `Method 10& w! U6 l: s/ e. A# ^
=========8 ?) S" w& \9 L# f
7 G _2 }1 \; X, k( g: E8 O
=>Disable or clear breakpoints before using this feature. DO NOT trace with) F: x4 w( n1 j8 ~8 x& l1 T
SoftICE while the option is enable!!) _; F7 g: t7 l: h- {( l0 n+ U4 S
7 v; V- P) j8 }" t$ t* c
This trick is very efficient:
) }4 y9 j+ D4 ~* ]- o+ s+ ~2 ~by checking the Debug Registers, you can detect if SoftICE is loaded
6 d0 R4 _/ h) t- W8 J/ k. I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; b5 K% G* W1 I6 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their- M' J v8 B- u
value (in ring0 only). Values can be manipulated and or changed as well+ m3 P8 U7 k, ?7 X! j
(clearing BPMs for instance)
9 z: e W* z; w: F) S- B9 z" p
1 \+ E6 _# e# C' w- m__________________________________________________________________________
0 s* D7 R& M9 f. b7 M6 M* c V" B# N! t
Method 11/ j/ h+ H. E5 B& R7 e- y% |
=========
# E1 w" A$ t$ O0 t( P2 \0 h/ z7 g
% e4 |" d$ `7 RThis method is most known as 'MeltICE' because it has been freely distributed; ?" S, k' D0 j" f H0 I/ I
via www.winfiles.com. However it was first used by NuMega people to allow# V' B2 Y, [( K
Symbol Loader to check if SoftICE was active or not (the code is located3 O# T6 u; E% A; F7 H2 ~
inside nmtrans.dll).
* x2 w6 g* v" a. V+ _& O+ W/ W$ N5 t* d, ~$ O/ e: N
The way it works is very simple:
, S- |0 V$ e) i0 i; aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% _8 X2 x: a! z' yWinNT) with the CreateFileA API.
+ q/ u. f! ^! T6 j) a) J, s0 V7 @% D5 G: @4 z1 J
Here is a sample (checking for 'SICE'):3 f+ `, f& ]) K
b; ?- k! u0 t% h
BOOL IsSoftIce95Loaded()3 G+ _2 g. Z0 y
{
' X* A: _$ d! S: s9 p: T6 F; O HANDLE hFile;
1 x2 [, q8 j, p- x: Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# `5 t1 V: r! I& B0 Y+ o FILE_SHARE_READ | FILE_SHARE_WRITE,
0 s- k3 d( |- s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# r( q* r5 {2 O if( hFile != INVALID_HANDLE_VALUE )
- @/ Q- N, v& f2 C' K {
& j0 P4 x0 s A5 ~0 } CloseHandle(hFile);
0 H! v9 r+ u0 O# Y7 _* N' f% F1 k return TRUE;/ L1 `7 r( K) }8 u" T0 ~& w
}
# B/ {$ k) J* F+ S' _5 ~ return FALSE;
9 a% l4 n) A7 Z% @9 ]}
& u+ L7 K) Y9 i% ]( X
+ W# Y/ e/ C, y8 n( v: A4 tAlthough this trick calls the CreateFileA function, don't even expect to be# _' R! t, I) d. R; m5 ?
able to intercept it by installing a IFS hook: it will not work, no way!; M3 i: Y5 V" s& B9 J: M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# Y7 {8 k5 b& R3 ^# H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 w- l- ]& e: h' s& p% Z- X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 l# o% c5 ]# \7 {field.$ E9 l6 v6 {8 e* R/ J. W3 _# P
In fact, its purpose is not to load/unload VxDs but only to send a : i- U$ q; q/ U, Z+ p6 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 r% P7 v5 ~' I y. eto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 |8 e! ~& Z5 S5 q' R
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." S& U- N% M* E W
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 {6 n P8 t$ h' `3 E$ Q% Y
its handle to be opened and then, will be detected.
2 I/ H4 r) |8 G. b8 D/ \% S( ?You can check that simply by hooking Winice.exe control proc entry point- A/ p( |5 x' f& E
while running MeltICE.
/ b. e& b7 ?! L @3 Z& A% v. \( P- U5 {* o3 p7 ]" f/ Q& z
3 j" z% |( f8 ]( t8 t' p. C, ^' D 00401067: push 00402025 ; \\.\SICE+ b# C! `' e8 O L
0040106C: call CreateFileA0 R% f1 p C9 l: P% d0 C
00401071: cmp eax,-001
1 H' h' l7 K* j1 [+ F { 00401074: je 00401091" t% M* |2 M0 p5 R
: A+ ]8 H- n j: _2 Q; T. `- }
3 m; l% i' O5 u5 x" a$ f; h* }
There could be hundreds of BPX you could use to detect this trick.
4 M! l2 ~5 g7 E% l5 K1 k-The most classical one is:, H* f b* e' A7 f4 y8 p5 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. _+ {5 l- M9 k' }3 W% F; b *(esp->4+4)=='NTIC'; E( ~$ J+ i( k) m: n1 F
7 F3 x$ I* x" o
-The most exotic ones (could be very slooooow :-(
9 h& ^1 R, j* F/ B" c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 ~9 J* ^# m1 Q) }9 w; Y1 u, } ;will break 3 times :-(
- u, G, I: t) t' z, m
* t/ ?2 a, D# f-or (a bit) faster: 9 c; D) S- {! [7 C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ j8 f, Q" F, C. s) x+ C2 o/ S( `- |+ f S) }. X1 q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) x& S. f3 [) b; J- r+ @! j5 l6 E) U ;will break 3 times :-( i5 A s; w9 O2 ?6 L2 Z- w$ y6 e
. A3 M1 ]% j/ P$ Y$ o( }
-Much faster:- y- V Z( O0 q1 b- r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 J3 x/ c$ X# g8 y
) F. R) |6 A2 p i; |4 B* k& p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 c3 r& ^1 K2 ]
function to do the same job:
* R2 Y8 q( r4 u0 C
) z' T; C) F3 N+ M1 i' X; v push 00 ; OF_READ
& a" y" I4 H7 o: }' J% V mov eax,[00656634] ; '\\.\SICE',0
* g! u/ z1 Q4 ?3 e( x! Y; ]2 O push eax7 {$ T# [7 w3 F. j
call KERNEL32!_lopen
% }/ C. ~* X' ^) W% O+ h inc eax7 a7 N3 N$ z% ?
jnz 00650589 ; detected" P& a& E. X% |, }
push 00 ; OF_READ5 @. C; b4 l0 s X$ n8 r
mov eax,[00656638] ; '\\.\SICE'
^9 ~, |6 M# V/ r- } push eax5 {( I! q$ Z1 z( W, R7 a/ F- Z/ ?
call KERNEL32!_lopen. b* ], [; n1 q% ]4 y" y
inc eax
7 e, C* w: A! l, c" U2 N: ~ jz 006505ae ; not detected0 j% V. d8 {, Y% v( A
8 e$ b. ?; S" n( N! r/ N/ `5 b: {) h$ C. g# D" K
__________________________________________________________________________
0 |, f ?' i, _. t( g9 O0 b9 Y4 w/ Y5 I6 K' k* v) ]
Method 123 e9 Z z) A! X
=========
! k7 r7 ]& ^9 ~+ r, d" v8 G5 j
# \0 o0 l! c7 a" V% p! y; hThis trick is similar to int41h/4fh Debugger installation check (code 05
$ g- v0 T; Z5 M& 06) but very limited because it's only available for Win95/98 (not NT)
- w) q2 y0 e9 U+ Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 T K1 @9 R& \9 e4 q
# G T% Q; m7 t& _, r# w
push 0000004fh ; function 4fh
7 I% {4 z" U1 H) D% o) B push 002a002ah ; high word specifies which VxD (VWIN32): t Z7 r9 ]' _- O, t8 r* Z% j/ \1 p
; low word specifies which service4 O; u) k5 |$ Z; @! z8 S. C
(VWIN32_Int41Dispatch)
+ G8 K: G T7 \: j+ }, q4 G call Kernel32!ORD_001 ; VxdCall
8 L# V3 E$ Q; T3 J5 Y' M( f$ j: I cmp ax, 0f386h ; magic number returned by system debuggers
0 B O1 W6 c* k# p- k( i! c jz SoftICE_detected$ X p6 `" i0 t' k
; g% G) p. e5 f' `Here again, several ways to detect it:" a/ f/ l' e/ g1 I
; D' r- E! U; S; a* f3 ]% H9 G) n
BPINT 41 if ax==4f$ ?1 i( u T2 ]1 D" [% v! c3 b
# O- {* w" ^6 ^0 Y. ]0 H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ E1 ]+ E; _1 N, c# o2 T
n5 @' |+ @% o6 s+ s( o: c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% O% k+ m: v- {
' H7 r: \/ ]/ v7 L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ ^% m* @6 l; H/ d: F- e- w3 `: G
) T2 n4 J A' @3 W8 ]1 Z__________________________________________________________________________
1 X0 R1 @4 G7 k7 {# \- b) F4 p& W; Y/ P
* x6 o, q3 B/ V, M5 u' ^6 {! gMethod 139 g1 b2 i/ Z8 O6 `9 Z: r
=========* c& {3 m% \5 O! u* R
3 }, e) G! f0 a7 B4 ~% k HNot a real method of detection, but a good way to know if SoftICE is
8 u- ^# q h' @4 ?$ F' U0 B/ N* winstalled on a computer and to locate its installation directory.* E& @3 n2 O% N. P) b
It is used by few softs which access the following registry keys (usually #2) :
) s4 m% s5 W3 d3 p; [/ y: P# M2 g9 y$ K% ?9 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ a, c* H% g: z7 Q/ k7 D\Uninstall\SoftICE- t1 y' [% P' X2 V3 ^4 U( B4 _; r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) i& w2 N1 `! v; k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ C5 ^, F/ W& }0 e7 C\App Paths\Loader32.Exe( w: {! s0 R! g- s' Q. @
0 ~; J4 L* H, Y! W5 {% c9 i( d& C
+ _, K5 w! w9 Y# M9 K- q
Note that some nasty apps could then erase all files from SoftICE directory+ |! a. }. f+ e; c& }
(I faced that once :-(
( O* U6 i) j' i$ h5 C3 E8 K/ L9 p$ X1 A5 h- z% [
Useful breakpoint to detect it:) o) k/ y+ Z& ]" H- J
* P; D- G; x# M# q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 h# R' }1 }8 W# \ }; n3 d4 e: X0 H. a/ s; c
__________________________________________________________________________! u, o) ~4 v( l0 j
; j! X1 o" { w0 N* C, r% x
8 ~7 K2 z8 ]5 S* y9 w5 e
Method 14
5 x; a( p, ]8 ] V1 L' v( r=========
$ z3 c: H! V9 H1 x/ Z0 p7 e" P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& S. K1 k1 d7 T, x* Q
is to determines whether a debugger is running on your system (ring0 only).
9 N% ~, [5 C; A- u, D1 v
- o7 {' C1 f5 m' P! n5 \$ {- B VMMCall Test_Debug_Installed5 t1 f2 ^7 S1 W9 l4 v
je not_installed, K* u, P [/ D9 Q5 u! A1 a7 \
( I9 c1 a# e! [: ZThis service just checks a flag." M. E3 D6 C2 ]2 ?9 G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡