<TABLE width=500>- e" c" c; u4 n+ i
<TBODY>
" k+ h% J5 B: u7 ] h+ {<TR>
" ~$ [/ G6 ^* C% e<TD><PRE>Method 01
c) @ k v( x( j, e* i=========# L3 K' Q: r' t# x9 y" p- T6 m7 k
, p4 f# G' q: V; f" A4 T
This method of detection of SoftICE (as well as the following one) is4 S5 k# D( F& E* ?, j% Q3 q0 j
used by the majority of packers/encryptors found on Internet.
% R0 h9 v) h, N( LIt seeks the signature of BoundsChecker in SoftICE
& A; {: |+ d* X' I) T
' Z. A O, M" m( o; P mov ebp, 04243484Bh ; 'BCHK'5 t% S: E. l$ w- ]3 k
mov ax, 04h
5 w; G! o- l6 @( T& W+ j) v int 3
" m9 k5 o4 p! _: n3 y. l* b cmp al,4
) ]9 ^: g' D+ f& C0 C/ n7 }- v! B jnz SoftICE_Detected9 \0 |: Z# ^( q+ f9 l9 l1 c0 Y7 k
3 t3 E8 W3 [- d6 \) j
___________________________________________________________________________" p9 l2 `$ s- T i4 c* Z
4 p. o. o& ?* O( YMethod 02% w1 i/ M/ v1 g6 x$ x
=========
. | w" H, P) C3 b9 z( i% N/ v4 k* [" a4 W N7 N) _
Still a method very much used (perhaps the most frequent one). It is used
# Q- u" k( Q' |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' F& A0 {0 c5 }3 wor execute SoftICE commands...
' v( ~# D8 M0 G, u" S: bIt is also used to crash SoftICE and to force it to execute any commands8 } o( G* N9 }, }2 a3 W
(HBOOT...) :-(( # `" H s% z& c- |( Q# F
6 i: p; Y9 W9 y& X* x. e0 V
Here is a quick description:
* a# y1 Y2 S, e-AX = 0910h (Display string in SIce windows)
0 }5 z- m6 R% p) H/ @: O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ x& P7 K4 g( Q; w
-AX = 0912h (Get breakpoint infos)
) ^1 |2 x: {: O-AX = 0913h (Set Sice breakpoints)0 w: ]1 @( a1 S& S, n: H9 v% U% R; z
-AX = 0914h (Remove SIce breakoints)# w# e3 |7 P7 j, U/ `3 E
# D# R! l' y, x: v- K1 ]
Each time you'll meet this trick, you'll see:
7 x2 N& Q4 r2 a-SI = 4647h) b4 N/ o' J& J- q% f& ` s6 G6 x
-DI = 4A4Dh
; i, U( T0 k6 ]: ~8 Y& eWhich are the 'magic values' used by SoftIce.3 x/ x) I: j0 P8 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! f6 K/ _6 ^4 Y: H! A/ y
8 d) F1 @+ K: p$ xHere is one example from the file "Haspinst.exe" which is the dongle HASP% o' a d" Z+ A j/ G: b
Envelope utility use to protect DOS applications:% B& h. H* m, c8 l6 l n
; D- S7 @: ?/ E7 T' E6 ?. C8 i: `1 e
2 U5 g, H+ g/ x5 T5 o3 E* M
4C19:0095 MOV AX,0911 ; execute command.
& _+ o2 N9 K4 s, `% \5 F1 Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." ]3 l6 u" d- J' q
4C19:009A MOV SI,4647 ; 1st magic value.9 P1 f, W8 b- V+ f# G
4C19:009D MOV DI,4A4D ; 2nd magic value.: g1 x+ ~- w. }. ^& A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ f6 H' z2 C+ V- g7 |# H( ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* A$ z/ K# e+ F, p4 x' |7 v
4C19:00A4 INC CX$ Z$ b* p7 i9 M: W, u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! I7 w! Z! }" {) B( [) T4C19:00A8 JB 0095 ; 6 different commands.
( P/ l! P1 p# J* t+ D4C19:00AA JMP 0002 ; Bad_Guy jmp back.: [6 ~( G0 t6 z8 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; k2 G$ y3 t& m5 ]) _9 y) Y, M9 w% T- C& |: F; T% n8 q- K
The program will execute 6 different SIce commands located at ds:dx, which0 d$ ]- u4 O4 Q! N/ U" q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' N) l" N2 c! B! T: [6 K$ E" x1 @: G* n7 u. b, O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- B. i& i; u9 Q. ~5 U___________________________________________________________________________( l9 T9 J. x" c9 _3 X; m
4 B. R" u$ r0 m- D: Z; y" H
& U9 P. _8 _7 O0 o" T# V; {0 H: v7 I
Method 03
; j% J% J; M8 u: t4 p( L- U m# Y=========6 i: Z9 |- h: y( e
) [/ g+ L5 v8 y/ ~; a s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 `2 F, I: P- ]8 x6 A& r) ] r C(API Get entry point)& A j+ h7 {. n. E! v& K; Z. b' x: y# n
% i8 z3 _8 v1 b- r/ k" I
" z4 N# X7 { e3 T! t. e0 i xor di,di
: j6 |4 t0 p/ y9 \+ \0 M mov es,di
+ t% @1 c6 E4 z5 `' ] mov ax, 1684h
7 O- u5 F, l# l) D9 Q mov bx, 0202h ; VxD ID of winice
8 e0 ] l) M! E8 C8 J- t int 2Fh/ I7 O9 B- e7 C% v
mov ax, es ; ES:DI -> VxD API entry point* Z* a( x* ~. r$ h) M4 c
add ax, di
, c. J. s+ `4 w' P8 Q4 b test ax,ax( H. I6 g r, z
jnz SoftICE_Detected& }' ~8 i8 Y: d0 v b
; [- Q% {4 F) o/ H1 j/ c, \& j/ t___________________________________________________________________________
* d, {( c: d. }, S2 j
/ t" }9 r" Q1 v @Method 04. v; _' I; z1 _2 `9 B. J
=========2 r* X& f( b6 Y9 Q2 W) V2 {
* @8 g' C! e2 j A) f. YMethod identical to the preceding one except that it seeks the ID of SoftICE. x: S" Q5 w7 Y: I# c
GFX VxD.1 }4 {) V8 v% K
* ]9 i9 N6 u6 d& S xor di,di
) |# y) F/ G. G6 j5 T mov es,di }! d! E p/ k! |- a6 [
mov ax, 1684h
" @: {7 \! P7 a mov bx, 7a5Fh ; VxD ID of SIWVID
9 G3 o) o4 a0 c! S$ @9 Y int 2fh, X; Y2 {2 [6 ?* C$ u- ]! n
mov ax, es ; ES:DI -> VxD API entry point. j7 L$ C/ M6 z
add ax, di: Q9 }2 H. H3 s2 Q R! n; K0 l) R
test ax,ax
$ z% i! N; o2 k: o6 I4 p- `; m jnz SoftICE_Detected9 l( j: Q0 T) m0 \& L3 p
& ^* b. N& u' [1 `0 k3 g
__________________________________________________________________________* X0 ^0 b! z4 D. ]# Q" u- R% O
( k9 F% y$ j0 s" g8 `
; Y$ E- h( r+ d: B- xMethod 05+ [" j/ j& ?, l& ^0 X
=========
( u7 {$ r( N9 w) z4 C3 t9 T0 [8 e; {5 j% d s
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 k: l% A# @$ ^, H/ M
debugger. It calls the int 41h, function 4Fh.* @" [- u( S4 I" `
There are several alternatives. . \: Z; h% l& l: P; U% G
" L& A9 r$ M' ]* t$ f
The following one is the simplest:$ Y1 O7 }( l$ O& i5 ~& i( ?
% ]) w; S- U" b! b$ h6 D" S! t
mov ax,4fh
6 O( w/ u$ x; b8 s8 O& U/ ` int 41h
8 l9 b% l6 B! R7 i$ X cmp ax, 0F3866 p% K7 \" L$ U) T% f' b/ J- V, _! i- Q
jz SoftICE_detected# x3 R' q# E6 {" D k& |
% E" D2 g5 b# b
; k7 W$ j7 I5 v! SNext method as well as the following one are 2 examples from Stone's 9 m T: M) Q( w2 d' H
"stn-wid.zip" (www.cracking.net):
# t A0 E$ e0 G$ D' }% @
3 [4 ]- s! b# T2 z+ T, X mov bx, cs
: Z& r7 o# o& F2 R8 h/ L# v" r lea dx, int41handler2
: i$ \8 X2 ~( E" @( |: _6 P' N9 k! k xchg dx, es:[41h*4]
) I, U' Q+ t, m! b( B( f xchg bx, es:[41h*4+2]
" J3 P" g; D! p! e2 o mov ax,4fh
* y1 x2 `- T- | d; S int 41h
5 Q, s# A h$ D, I1 V3 @2 U. G xchg dx, es:[41h*4]! G; Z/ y8 p h4 K: t
xchg bx, es:[41h*4+2]$ r0 {# I% {. V
cmp ax, 0f386h
d9 {1 H& G( p& G jz SoftICE_detected/ v) g. ~3 a: m
. L& K6 @0 E i% a3 J9 m8 zint41handler2 PROC
: g- T7 o2 l% t0 b1 |) k l iret
* W9 }' q V. |4 lint41handler2 ENDP. _. f% H' P+ p5 P0 r
" A! z9 W# G1 q2 P# r
Z# N5 g0 t0 }- q2 `5 A8 }
_________________________________________________________________________
/ L7 S+ l) j6 ~9 j. ]3 w2 e* @1 }
& ]; b F2 [7 a% l/ m: y. B5 x8 w- p0 o
Method 06
! a6 |6 D! n" \0 Y, s+ U. f=========
6 p7 c, W5 v; r9 m
" P& U% S9 ~4 B0 H/ C
7 E$ t& ~, C/ }0 m2nd method similar to the preceding one but more difficult to detect:; L& Q1 M1 @) Z, i; Q: n
% h& X7 n& \% S+ E/ }! U" |9 p
z- {0 x' O' D" {int41handler PROC/ w! d$ q' S4 ?1 ?+ C9 R6 }
mov cl,al4 p3 [* H6 z4 H' r) j. ~$ Z
iret. W1 {+ @: s4 N: v0 a: d) X" T
int41handler ENDP
4 }6 r$ ?% \. U( P' x- v# z( ?
5 P) Y, D& G$ Z" L. T3 U8 |+ y' i8 z: O( O/ G9 h) o
xor ax,ax
+ c( Z$ ]0 q: L" b4 o; \) J" G) J, d mov es,ax; ^0 X- @' N! b! g k
mov bx, cs
8 @$ g& K8 u ~, D! S lea dx, int41handler
" _( J4 ]) n; D% ^8 m$ c xchg dx, es:[41h*4]/ B3 k! I' I$ O& R: X6 p
xchg bx, es:[41h*4+2]
+ _/ {9 @3 _% R0 Y6 o: a in al, 40h
/ E$ K# ~. Y& U; T( K9 u xor cx,cx& r4 {% z" r' k) O7 E' \' q
int 41h; z2 @8 R4 b6 |! _6 v- z' G, Y
xchg dx, es:[41h*4]
3 ?3 j: e5 d- ^- i! S k% Y xchg bx, es:[41h*4+2]
/ X. t' X5 ^7 ]* n- ] cmp cl,al' N8 Z! u, d: Z2 l Q4 J& b
jnz SoftICE_detected
# ]5 q* {' F: ~0 o# r6 s7 h1 j' Y" E! _
_________________________________________________________________________
2 k& Z, l: p( B- A, O) M" N+ s% B6 [, t, w, @: I
Method 07
5 q4 q3 j3 C- V3 `2 B. q; Y$ S! `=========5 e. E) ]) \% T! T
& m' c1 Z* P5 F1 _2 ?
Method of detection of the WinICE handler in the int68h (V86)
" t+ b& `5 r* O
6 U% J2 p8 _6 T! ]3 g5 ?5 D mov ah,43h
+ y. Y4 B4 `( K3 L4 ]; s, o! s: s int 68h
$ r% I% @8 V& X% ]7 [6 n1 o cmp ax,0F386h2 i8 e2 \+ Y! L6 R
jz SoftICE_Detected3 p5 q/ d! U9 x8 s& ]3 K! { K7 L! `/ F
9 ^& _5 t* l' f8 l
, x: y3 P; Z/ a G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# d* d& B" Y6 K7 G% t" Z) U app like this:
) m1 T" k+ K5 ^
0 B! U) C- w! ` BPX exec_int if ax==68( R8 t: O+ i3 `; Y, c0 T) T
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 i3 g8 l# G# t0 b. B located at [ebp+48h] for 32Bit apps). _0 ^2 e, o& x
__________________________________________________________________________8 Y6 v" Q, R+ m0 p
, V; s) F Z( n0 v7 h( }
, Y( L! H/ Z; {1 ^. [Method 08* B: R+ o$ l9 g9 N. v0 e
=========( Q O- q; [1 b9 x
* L, X8 o/ _8 ^
It is not a method of detection of SoftICE but a possibility to crash the: A+ |" d) P" d5 o) ~7 C: E" A. V
system by intercepting int 01h and int 03h and redirecting them to another
) R. N3 k9 C, ?( I8 {/ Z2 q# T* vroutine.( L0 c# }5 x: z4 H3 a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' R% q- `4 {* Q. U, V
to the new routine to execute (hangs computer...)2 S: J5 h: R+ U9 r. H3 k; v
; H5 A( q7 r) y1 W' M F% k% d, F mov ah, 25h
( p! G! u; c. J- k& {0 D. l% r mov al, Int_Number (01h or 03h)
6 a' l5 u s+ p) x8 u1 T' c, S ] mov dx, offset New_Int_Routine( Q: W" ` \, v! Q
int 21h
, }: O- R1 D$ h3 M, n2 X G- j. y* P/ L! b" a' b f
__________________________________________________________________________
" u- d1 K8 l. @( r6 [$ @! ]4 Z9 r, s T
Method 09
( Z6 b0 R/ v; f8 S; |$ N=========( ~3 R7 S% N6 z# c
, u* s5 `) R A% Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 k! e; k2 f+ x8 g2 V: uperformed in ring0 (VxD or a ring3 app using the VxdCall).: h8 G. O, s5 [2 q
The Get_DDB service is used to determine whether or not a VxD is installed
6 r$ f1 D( m7 \for the specified device and returns a Device Description Block (in ecx) for& d9 g4 x. H3 o4 R) R2 d& p
that device if it is installed.
r* g6 P. H) p, u' p1 j2 l, _7 d% s5 W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 m. W" T: n3 l9 z* b& U% Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' R% r5 z4 a( g" ` Z( c3 a- T VMMCall Get_DDB7 p3 ?" S' t! q3 @$ e6 m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* T$ u. R3 N) G& q) }0 O, o. R( F
5 c) U$ z, w4 f& _2 uNote as well that you can easily detect this method with SoftICE:) v: b9 _2 r, Y# [' k& D
bpx Get_DDB if ax==0202 || ax==7a5fh6 l3 w7 w" R7 @/ e
9 U u2 l1 N& ]5 [( r/ w& [5 R__________________________________________________________________________
7 s: b$ R9 s2 R9 a- |; A2 x7 b, q9 _2 U9 T
Method 10
; a9 j0 e- u [3 }+ w& C=========: J$ i$ s3 q9 w! H4 S5 `: F
4 V4 |( o( z4 e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& b: M" e9 x+ i; I E( y SoftICE while the option is enable!!
" T& Z, H9 |+ } `! v( ]1 E; D1 ~% b1 K
. o8 p0 R6 H/ ^- kThis trick is very efficient:, U" n0 S4 q |6 c
by checking the Debug Registers, you can detect if SoftICE is loaded
4 F! e) r5 Y5 o. Y! A9 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ K) u# K0 h' k$ K' K/ a- tthere are some memory breakpoints set (dr0 to dr3) simply by reading their! o" w% d4 }1 m; n" `
value (in ring0 only). Values can be manipulated and or changed as well; g/ W& q1 `' f5 n) `! O
(clearing BPMs for instance)
' | g: s! g- m E' z3 ?) u6 y2 @
__________________________________________________________________________
/ m2 x& `" j9 W" [# W# s9 T! ^% }
% D& q6 }) D; G+ f$ Z0 WMethod 118 D! E, ?2 i, A4 _4 Y) Y* e
=========
1 u! r0 ?! A4 Y
# {! \/ u: G1 Q* \9 W- NThis method is most known as 'MeltICE' because it has been freely distributed0 d0 ? f, c9 T! M9 f0 E$ [
via www.winfiles.com. However it was first used by NuMega people to allow8 ^) M: t1 L2 @' t c- S
Symbol Loader to check if SoftICE was active or not (the code is located( p; S% j: `9 @) G8 w$ X+ k" |
inside nmtrans.dll).
3 }& s" `) {& c2 l$ U5 d0 b$ n! X' ?7 w8 |
The way it works is very simple:+ l, I& l# i2 [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 Z6 `8 {0 D" G, BWinNT) with the CreateFileA API.
) [# v4 m; c5 n0 e0 Y- J: d
8 L: |0 t; l. t- g+ eHere is a sample (checking for 'SICE'):) x U8 M R! t, G
6 y7 T/ F& C8 Q- Y: T2 UBOOL IsSoftIce95Loaded()0 f3 C0 f* j# m6 R; _
{
- L. q, g2 S0 Y; [$ r HANDLE hFile; C) K. o+ Y; H6 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," O9 ], h7 x/ f' j: D$ G5 M
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 r* I$ J0 T& |( f- x' m& r) D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, Z! e. o& K& a# ]( M1 R if( hFile != INVALID_HANDLE_VALUE )+ m' y4 o I! @* O. ?3 h p
{
: g, L, K3 r% ]4 m& T1 q CloseHandle(hFile);7 I. ~ p) Y' k1 n
return TRUE;9 l& o% }; t* ~" I9 O
}9 x* r) G: S7 y- t0 G* ?8 s
return FALSE;
: P, H; G/ b* H q+ r; u}
/ b+ g. X6 r* Y4 R9 a+ o8 v5 m# y& h, S( x
Although this trick calls the CreateFileA function, don't even expect to be! g% t, W7 _3 o2 g: E
able to intercept it by installing a IFS hook: it will not work, no way!. B1 S* G& T- E) b ^: X: C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" i o4 K" C! T+ E; p/ h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! |" ?; S2 y( _1 Y" A( xand then browse the DDB list until it find the VxD and its DDB_Control_Proc: i% x. q! C- \% u# O
field.
, ]; W6 I( H) ?5 ~$ FIn fact, its purpose is not to load/unload VxDs but only to send a
% G! \! W, m$ E: Q7 P6 y1 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 H) x5 y) E. i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 E/ a2 t, I/ G! V X, b, M9 V4 a: Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: G; w$ ]6 {: ^4 @ DIf the VxD is loaded, it will always clear eax and the Carry flag to allow" h7 [: S& L! x# G( X& |+ } r: j! q
its handle to be opened and then, will be detected.
% f7 B: d' |; U; g& CYou can check that simply by hooking Winice.exe control proc entry point& u; N w+ I- Z8 L. g
while running MeltICE.
6 C6 A, h w% H( c+ c6 S, W/ v
, G Z) ^6 a* q) v. Z# `
8 l1 v$ x0 |! r% p$ L1 @& L/ f9 p$ e 00401067: push 00402025 ; \\.\SICE- b8 S0 c9 K+ I8 O- F7 {' z% v
0040106C: call CreateFileA
& I; p1 {; Q# d% y: l7 I 00401071: cmp eax,-001$ ]5 p2 @' h- o; b
00401074: je 00401091
# Q$ o) J* @3 C& a% G9 W
b/ ^* j$ A: m5 j$ W/ a4 o: H! k* G4 X0 J J
There could be hundreds of BPX you could use to detect this trick.
; H- V! p) E. Z- f. V0 ^4 U6 n: _9 ~-The most classical one is:: i2 i/ z" L9 ?6 D; u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" L8 S+ b7 N4 i, v
*(esp->4+4)=='NTIC'
! R; R' e3 `% ~" k' P2 D5 F* M
3 D4 N+ g' ^6 R4 Y3 b- n7 P-The most exotic ones (could be very slooooow :-(8 X( X3 u" x+ W$ z; |. Z" W7 u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: p6 G# ] |& z$ f+ S ;will break 3 times :-(
+ @" ^, p+ }% E/ |4 ^& Y d
2 {2 F* n V( v0 d2 ^-or (a bit) faster: K3 q* G1 K9 O- c1 i C' ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ _# D/ Q4 N0 P& ^' \; E; H$ r$ S. }5 z$ {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & E9 i- T5 L- ]$ B( ]- _
;will break 3 times :-(' p) R4 X% T( M1 O! k
$ u3 M" H9 F4 X G( Z) ?4 d: @
-Much faster:. ], h7 C; w+ n3 V z2 | l& t9 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. _6 T7 u/ S+ W; E& U
; j: y8 {8 o5 o2 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
t& x9 v, u) M8 G3 pfunction to do the same job:
4 R4 o6 W6 e- \; u- r2 {$ S4 a8 e9 K
push 00 ; OF_READ' \1 ]8 ]3 ~' i: ?" ~
mov eax,[00656634] ; '\\.\SICE',0
& ?% }# Q' F8 f' `4 L push eax, x( W8 h f* D9 K
call KERNEL32!_lopen: t* E* C2 ^9 U. q3 ~
inc eax
& n% p2 ]+ t& s K jnz 00650589 ; detected
% i( _# c% ]) S: g/ |3 k push 00 ; OF_READ
2 `9 a: b, P2 w# X1 q mov eax,[00656638] ; '\\.\SICE'
" H: A$ ^+ S3 X: w9 G1 O. B( | push eax( q/ j" d# X- [/ v9 C
call KERNEL32!_lopen
# ?% Y; _( j# A: p f+ b6 e inc eax1 U5 h1 T( i8 {. \9 P% Z0 e1 Q& v/ b3 \
jz 006505ae ; not detected
4 Z# Z: c: G" o1 z8 P9 r) a) n- P) W P3 B2 n+ ]
* p$ q' d3 ~' u! \, ?
__________________________________________________________________________
2 S8 C; G# f: Q9 ]
8 [7 @+ ]1 V3 R+ R5 aMethod 125 _% }) O! [4 y
=========$ A9 [; P$ G; ~7 f# x
, L0 C4 k$ R& R" C ~4 DThis trick is similar to int41h/4fh Debugger installation check (code 05
: g4 i( @4 ^8 G ~1 M% `& 06) but very limited because it's only available for Win95/98 (not NT)1 D, W; D$ L2 Q; ~ b: u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: H, g2 ~0 N2 i7 N) [3 y3 Y- O- ]8 C) o
push 0000004fh ; function 4fh8 U* x, E/ G- a) i7 Q
push 002a002ah ; high word specifies which VxD (VWIN32)
: W c( y4 U c ; low word specifies which service; j% m: U6 Y0 J- ~3 p
(VWIN32_Int41Dispatch)5 p8 G, D8 x7 E7 k7 r
call Kernel32!ORD_001 ; VxdCall/ ]6 |" R" ~" |* P& [8 S+ U
cmp ax, 0f386h ; magic number returned by system debuggers- b; Z+ g9 ^( m! X
jz SoftICE_detected1 L: j3 z* ^8 @: g }; x
( {, V0 E' |, EHere again, several ways to detect it:5 X. Q2 [" ~0 |# o* z
( \; M8 J4 Z( j6 u3 @/ }; r- Z. T* W BPINT 41 if ax==4f+ o! b% _' E3 G2 A0 w) o
) Y j# l. R) o0 T, W! n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 a! z" n9 { a$ r1 K+ Y( o- C: E+ \$ K+ `, @" d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ i7 S d9 ]2 B. m4 Y2 U; o
! e, _2 @$ V2 l) F% R H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& r8 K/ `; v; B. F# D& P! V- b+ E" d$ ~) h
__________________________________________________________________________
- N- P4 h1 S# F0 ~" _7 ?4 B4 k
2 w; D% w0 @% E* j. dMethod 13) t3 Q& U1 ^. p5 o( G& v
=========1 d/ j+ d: V0 Z1 x
; C' t; @5 h( X& ^Not a real method of detection, but a good way to know if SoftICE is
/ h* F4 B1 J6 yinstalled on a computer and to locate its installation directory.
2 |3 m0 F5 A \4 UIt is used by few softs which access the following registry keys (usually #2) :
+ A# J4 b: Y, X) g( U( R( `( i
0 E6 v# ~6 n, [) [2 F" r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. A+ {2 N. ^8 [1 |\Uninstall\SoftICE: @/ x _& o8 Z: z- {$ D! y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 ~) W f t ~. G- ~4 ~# S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 a1 \4 J/ x. |1 x. a2 I$ ^\App Paths\Loader32.Exe3 I$ @8 H0 D1 R8 K# d) X
: w2 F9 h6 ]$ j* y1 \7 O* a9 t
/ b: y1 D- ]6 N* D: e; R2 nNote that some nasty apps could then erase all files from SoftICE directory
/ N$ X7 v7 \& G0 M( R5 Y" r. D(I faced that once :-(
$ x# G) h. @2 C( z5 |9 O8 A7 p) m) W3 @2 D2 Z3 \
Useful breakpoint to detect it:% B0 B& j5 Y3 Y! d1 w+ ?
( q' k& P+ b1 ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% Y' B. f. `0 a( F. S; N/ t, b3 }
' M% b/ [0 n- x+ J4 H; C__________________________________________________________________________: G1 ]3 h9 b" t0 F
& W3 n: V. Z8 J9 `( n$ ?- g, X9 _
: O h& d* S7 r) a, }* RMethod 14
, Q r) P" f4 w1 A ~6 U$ n, I6 r, k=========3 M4 R4 O0 s1 @) u" ^% X
' R, n1 _! B9 P9 h! D! B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 s v( _ C# b' K2 Ris to determines whether a debugger is running on your system (ring0 only).+ E4 ~0 R3 N+ i2 e5 P, p
d. f& ^& U. M0 } VMMCall Test_Debug_Installed
7 V2 c a# ~3 H5 N- d) _$ `4 ] je not_installed
+ ^5 l! w5 s) Q8 x: g* O! n5 ]" o9 V1 v! [2 n
This service just checks a flag.* e4 L) \7 ` k; w* }0 {. ~1 z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡