<TABLE width=500>
9 g0 t3 X& q% v- |8 {' h2 t* L<TBODY>
5 b: \$ e# U- h- q" }7 ?0 g9 n<TR>
( ]% _/ R4 G) I" V<TD><PRE>Method 01 / g0 O# d' `& V- }; L
=========4 w. {( d2 d/ w. O
+ ~! L/ y0 T$ `* w5 dThis method of detection of SoftICE (as well as the following one) is1 Q/ b7 z9 `: `; j( b
used by the majority of packers/encryptors found on Internet.
. C. p, g: I& y9 m2 W, l9 hIt seeks the signature of BoundsChecker in SoftICE, T r7 h. i! g; I
, }& G+ W2 t2 B" J' k0 _" f9 n mov ebp, 04243484Bh ; 'BCHK') Q4 G8 s' [4 z. q G& a7 i
mov ax, 04h
. `# s' ]1 w5 R: k int 3 9 R. g; Y# ?$ \3 U* T, n; _8 y
cmp al,43 Y$ Q% E+ A: Y) u4 x
jnz SoftICE_Detected# M6 K% {* T. s/ E7 u
- b" ~5 c% I/ N! S! p7 M8 }___________________________________________________________________________2 |! |* c' | r" o1 n# n0 G7 ^
! T" q( [, G4 F0 x
Method 02- X/ |, V& L: }" s; s
=========
8 }# S% {2 z7 V( N$ U# B, b4 A; X( {; U! p& |
Still a method very much used (perhaps the most frequent one). It is used
$ I, Q) D8 K1 y6 B9 c* }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) @/ w/ E1 B/ d P2 m
or execute SoftICE commands...
. w+ n/ ~/ y ~. s% @- gIt is also used to crash SoftICE and to force it to execute any commands% L; U: ~& c# _# ~" ]
(HBOOT...) :-(( . o; U) D: ?* O6 D6 @- a9 _/ H2 j
/ u; @/ }7 e3 u
Here is a quick description:
8 u: W/ N' ]! T-AX = 0910h (Display string in SIce windows)9 G% M/ i" J( s8 N- @" i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' s! p+ X) X9 c
-AX = 0912h (Get breakpoint infos)
! D8 a9 P- x' u5 t-AX = 0913h (Set Sice breakpoints) }" W- n, @ h, Q. j
-AX = 0914h (Remove SIce breakoints)
# [$ c( ^+ Y: L1 e0 p. T( z. [/ L6 w! {7 {
Each time you'll meet this trick, you'll see:1 X, g0 w" d4 c' M) {% |3 h
-SI = 4647h
- u. V, Q4 N3 C6 M0 v( T8 Z U-DI = 4A4Dh
/ D4 a: S# X% r, C& c8 J4 |7 OWhich are the 'magic values' used by SoftIce.8 }" S/ ?; e! `* a" u/ m8 C& R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 }- K" f. z G' X |1 W
3 g4 l# N" _7 D' z) b0 [) g: A$ X+ Z: o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 Q8 O# j; {2 k5 r- _0 CEnvelope utility use to protect DOS applications:) W2 k G+ [6 a4 p8 _4 e
* F7 {: n; l8 V( y6 Q
/ p: Q, ^6 l5 p b4 E5 }" I4C19:0095 MOV AX,0911 ; execute command.: q2 s8 I/ B5 p) a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). h2 U2 G4 A; X5 r- }
4C19:009A MOV SI,4647 ; 1st magic value.! z: ~. Y# l5 l M0 g/ \
4C19:009D MOV DI,4A4D ; 2nd magic value., q/ X- O4 E! s5 M4 Z7 z0 \$ T. K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- {4 o+ b8 A# Y/ }' `- J% z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ v9 s1 ~8 P6 f! M' ^5 |5 a1 j
4C19:00A4 INC CX- `0 k' x9 ^! ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( |, z: Y; d: S7 ]* t
4C19:00A8 JB 0095 ; 6 different commands.
' l; A3 _- T/ q9 q4 x5 O& u8 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ U0 Z, V6 \4 s8 o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ M( I+ i1 s" ^& a
1 u4 E$ S" w3 ~, kThe program will execute 6 different SIce commands located at ds:dx, which
' j& F# W- l* T$ z( T4 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! Y. ]+ F& k8 F: r( G& N5 a z8 p, J0 Q! F( t3 H: |& k- }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 Y. B) E) A1 p5 v4 m8 X: w___________________________________________________________________________
4 Y4 E) q5 V* b: q7 `
4 O6 G. |/ O7 ~6 N6 }" n; l( p* r+ @0 M5 l- |+ E( z
Method 034 ~- C: M. l6 k* T
=========
- ]2 U- ?+ O2 p" S' U, f4 @+ [: {$ n8 b5 U9 D# k8 z5 w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- D$ ~8 q7 s* ^
(API Get entry point)
5 v+ U0 H0 l5 l9 f
+ M, h. l! x" `* \, `
1 d) p* a0 I5 s' M1 w8 f xor di,di6 p+ H) Z/ T% U3 X& b! c. d7 A" a
mov es,di
% C9 R8 X5 l4 R9 ^) r mov ax, 1684h
* E* m( X* R6 \4 K c mov bx, 0202h ; VxD ID of winice
% M4 d" _: [* V int 2Fh3 F |6 e& ^/ Z7 [! U
mov ax, es ; ES:DI -> VxD API entry point$ C x# }, h( w$ E6 T/ G* S+ c
add ax, di( @; F/ P) s8 R- n" N
test ax,ax3 O& x5 D N4 e. b, }
jnz SoftICE_Detected; J/ u0 W: j2 W+ o
, \6 W1 C# a' a, Z
___________________________________________________________________________2 L9 F) e3 h8 N, h( U
* g& x+ Z) z5 B) Q H( g* i. A/ xMethod 04
. p: D/ N, E+ Z) n. @=========' T, @9 k/ ?* M
4 q% s) m- m& K# \# \& S2 M+ ~% n; \Method identical to the preceding one except that it seeks the ID of SoftICE: h0 ~8 G1 ^: y+ J) U
GFX VxD.$ D. M" V* ?5 C& E
3 T" @' [8 H `( g. f xor di,di8 [2 Q: O; H& M4 s$ U* A
mov es,di
* _9 L0 V, V- w" {6 B* ] mov ax, 1684h : _9 y* G/ |* E! Z3 [7 ^0 G8 p
mov bx, 7a5Fh ; VxD ID of SIWVID) S2 f9 C4 L* _2 a
int 2fh
' U; r! L- a% z6 k4 E! ^& u mov ax, es ; ES:DI -> VxD API entry point8 n- Q2 m; O1 O- w( w7 c
add ax, di
8 M4 Y! U9 T8 C! O Z( y test ax,ax
9 t( x; j* a8 f; ^; \- k jnz SoftICE_Detected
' j! L3 N, a# x3 N. J; t% Y& ?
3 z8 u% B- ^2 D6 W9 k6 E1 S5 W__________________________________________________________________________
% Z! o1 p! A& ?/ q* l0 t3 H
* {% x$ X: H( D8 j5 j
S: o. }" g6 c/ Q. |% }Method 05
. E5 ?( e6 U- n& c. H& P# x=========
0 A2 G3 i$ |- {4 y6 ]" M; B$ l) |
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 D, @/ @6 I* o, E5 _
debugger. It calls the int 41h, function 4Fh.* _' A9 z/ a) d8 P( x+ T! S' m
There are several alternatives.
& ]8 E$ @. p( B1 K
; O2 O- \+ o9 @# gThe following one is the simplest:
3 c7 Y9 \# o5 J. A+ B0 K$ a& c" s# O1 |3 m; |. M5 R& Q( S
mov ax,4fh2 h6 R! J v# R
int 41h
6 H/ a3 V2 ]" U/ T9 T n cmp ax, 0F386
8 ]; z& o2 K$ o3 O0 F- e7 c jz SoftICE_detected/ O$ o* e% z; O) H9 S& b
3 H0 K" a. _8 L# g8 v; f& Q6 E' O) r. U9 y5 f
Next method as well as the following one are 2 examples from Stone's
@" q. X0 Q; k* E"stn-wid.zip" (www.cracking.net): o/ s1 j! G1 o2 R
* e! m; s9 W' ~" E mov bx, cs: p2 }$ z& ] b5 K3 B: C
lea dx, int41handler2' L1 c$ T3 i, w d" N1 f
xchg dx, es:[41h*4]8 {" W) s1 s" u. @( V3 P) J
xchg bx, es:[41h*4+2]
2 }/ K; B; ^* ?4 P, x6 |. v mov ax,4fh
" D1 ?. H1 Q" A2 s3 {4 S6 l: l5 _ int 41h( @& R0 M8 B3 ]( _! I
xchg dx, es:[41h*4]
7 K2 \+ v5 R' l% [& V/ K9 E xchg bx, es:[41h*4+2]
) N1 G6 i+ E0 m2 e, L; g cmp ax, 0f386h- L1 M- [) w: F- j6 B
jz SoftICE_detected2 ]6 `- ^- _' v& Q5 }6 t
2 H$ M T9 f+ ~, o4 r" Rint41handler2 PROC
; t! K6 Z7 s' W) \" U iret& h9 [7 F$ x i8 ]
int41handler2 ENDP2 K% F0 `" P" R6 s# Y9 b- g( ?
2 W3 U7 ^1 A [$ ~8 P G" M* h
( Z$ X9 T R v1 B; Y7 D_________________________________________________________________________
; A c7 z% T- _2 K2 }( ?! X" k' e |$ S4 C( n
; ?; k. C0 S0 M3 |
Method 06' B2 l. g$ q9 f# |
=========: p5 j5 w6 f% \/ d3 f! d* @
) B& `7 D* e: u) b O% J9 J' d
2nd method similar to the preceding one but more difficult to detect:# e, O. C) X8 m8 O+ n- o( ~8 A
7 U; q* z! u+ Z" \( I" b* z; Q: E" D- N7 Z: R
int41handler PROC
5 ?5 ^1 }& U6 b! ?; `: P: H% U$ c4 [ mov cl,al$ @/ e; d, z6 i) p9 U3 M
iret
6 i* v j, o' y% K7 P; aint41handler ENDP
o8 K0 I' K3 m3 S. q( L6 a# R3 _6 }4 m
! l" s2 N H& A! k9 Q2 j; X xor ax,ax9 Q" [1 l1 o/ u8 d7 Y% ?9 F, m
mov es,ax
6 F- D& l$ y" S: j: h8 b* K mov bx, cs4 y# r( a3 A7 Y
lea dx, int41handler/ R# g4 J4 v' E; e! c6 K
xchg dx, es:[41h*4]/ V3 t; J V: b' i" X0 o/ T; W
xchg bx, es:[41h*4+2]
8 |, D* G" n; Q8 w* ], `- T) a# d1 \2 ? in al, 40h, Q0 a" w9 g" h( H; \
xor cx,cx
; w6 l2 h; r3 C- C1 I' y/ M int 41h# G. ^, j, u6 Z/ i j2 s1 d
xchg dx, es:[41h*4]3 M1 N; h6 M6 D& |* T- m: Y0 r
xchg bx, es:[41h*4+2]" j0 r. J0 } m7 [2 l/ J4 l
cmp cl,al
J- D8 b- E# p. Q jnz SoftICE_detected
% V$ m2 ~% b$ k6 Z
, \% M) t ^/ r1 k$ G0 n_________________________________________________________________________* }" _! J. ^1 y" T
! q. Z; `& j" i# {1 yMethod 07
9 X2 T$ y3 z* `7 [=========9 ?5 T: N# D3 \9 L
. t2 C, C% g3 @) \3 s
Method of detection of the WinICE handler in the int68h (V86)6 a0 e. P/ F. a0 W
" \5 Q3 U4 B! t2 L- _ mov ah,43h5 `- ]9 {7 n) {
int 68h
4 q/ J; L+ D! k# q: \ cmp ax,0F386h
+ Y6 S" L, V `$ i2 C* o jz SoftICE_Detected+ j6 b0 T; o+ ~; f: w
: s2 V. T. y& a) J: S
% X1 a, N4 M: L1 a# I8 R" v7 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, o6 [; y+ H, O) K$ j app like this:
7 g% z1 T3 S) y3 r7 o1 ]. K. y/ B i. s$ v; I, B
BPX exec_int if ax==686 @2 ~: q A7 {) u2 w
(function called is located at byte ptr [ebp+1Dh] and client eip is3 S/ a8 z, [9 b4 b* v4 k
located at [ebp+48h] for 32Bit apps)
* d) d7 o1 J$ h! D& Z! |, g__________________________________________________________________________# u" v; P: B8 M1 B; @6 ~; |6 v" G
8 D, T% ~+ A( S) v( r# `$ k- q1 K* g* O# V
Method 08( t, U7 x$ y5 S( X! x i- N6 m" c
=========
; J. U4 f# _; x; ` V
2 Y/ y5 }# F5 D7 X2 I2 y# X9 U' XIt is not a method of detection of SoftICE but a possibility to crash the
/ _$ s. E7 s! B2 ^& r$ l. Zsystem by intercepting int 01h and int 03h and redirecting them to another+ c* |4 i& ?- \
routine.
* W2 _! X# m4 D9 {* y; ?( t& a! {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 Q* R0 q* Q5 k! X6 C
to the new routine to execute (hangs computer...). Q/ D4 z" v1 D6 K
9 d9 D3 `# t( r* O" l mov ah, 25h- @# u. T* k1 P
mov al, Int_Number (01h or 03h)
7 o- b0 r# f: n/ v mov dx, offset New_Int_Routine
5 F& t: f$ Q- j int 21h
6 z" J+ j, F- _- Q, r& ^3 w) U0 n, q& K2 J! t
__________________________________________________________________________
* b$ N, C1 p/ P! v9 `2 F' n- O" Z+ k& s/ n/ _2 t) ~+ a! R
Method 09
! x' I$ W7 h) K3 [, X! }9 A/ I. x=========
; u& c- r4 J9 r. A5 H
/ Q5 l& \0 @% y+ ~% [+ B; _- VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 b/ Y" @6 b$ Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 q; [6 Z: W3 B) f. x6 F+ zThe Get_DDB service is used to determine whether or not a VxD is installed
/ a- p. U# {% S& Xfor the specified device and returns a Device Description Block (in ecx) for: h1 k0 U/ s, m$ ?; X
that device if it is installed.4 m: w* t( Q; W4 R5 Q; V4 `% k
# \/ g0 V& o: n2 U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 C- V1 ?: ~% o. K) \# n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 z8 b0 c5 o5 L+ h
VMMCall Get_DDB
# s- X6 B& y4 `3 C# f( k3 \( H) @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 ?+ A: o- W Y/ f; ?
3 k, c# X! ~$ t S" e/ B& iNote as well that you can easily detect this method with SoftICE:
( ?* L$ ~; K! x: K! r2 k0 `6 T bpx Get_DDB if ax==0202 || ax==7a5fh
, Y7 }$ k" i4 O, }! K5 [& B
3 V9 q/ E$ _: q1 O3 ?- ]__________________________________________________________________________) ~5 L0 O) C* H6 L8 C- o
" U- g; u9 C& `# t# O8 O' CMethod 10$ N2 ^5 Y+ H2 M( c- e; x, K
=========) B ~) x, \! Q! N6 i, K* G
1 e m# k o" s) h, {=>Disable or clear breakpoints before using this feature. DO NOT trace with
" G( l. \- ?& P. Z+ M2 ] SoftICE while the option is enable!!
& `/ t4 [" r' l" i2 O J
' D+ l. b3 s; R# [; }% a8 f. N/ rThis trick is very efficient:* z( G! k; E4 b( T5 ?" ?
by checking the Debug Registers, you can detect if SoftICE is loaded
# t: m- D4 \; p$ {# `$ S2 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 a- |; E9 t6 o9 f4 M2 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, B$ [6 U" q1 o/ W$ svalue (in ring0 only). Values can be manipulated and or changed as well
% T" [1 j: b) Z7 K( n$ W(clearing BPMs for instance)2 D8 H; h7 G/ I! u
5 t$ M& V1 Z, M) [/ {__________________________________________________________________________8 v7 z6 c; Q* C& ]
. v8 y6 f: b" C% {; @Method 11
( e) J! p2 g3 I V0 v* Y! r, C6 w=========
9 K6 J, p8 w* M2 _% C, y: i
/ x% G- _; ], _, K# m' W ~This method is most known as 'MeltICE' because it has been freely distributed6 i0 R+ r. R# L3 J, e
via www.winfiles.com. However it was first used by NuMega people to allow
7 Z$ L c2 D7 D# p& h5 J6 b! tSymbol Loader to check if SoftICE was active or not (the code is located' d& u* Q" H* E8 }3 S" h; W
inside nmtrans.dll).
3 F( q/ |' h8 y8 h' u. p+ D% n+ E( H P I. ^2 s0 Z+ V
The way it works is very simple: }6 _- W! e% z: A# d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& }7 k6 u6 l( c) H; rWinNT) with the CreateFileA API.
7 [3 W/ i2 e. P8 F. a4 [5 k% Q6 y* Y' E, p
Here is a sample (checking for 'SICE'):% m$ S- s; |, O$ n' o! N
) L$ T$ J1 A" s5 F6 R1 o) f% WBOOL IsSoftIce95Loaded()
. z/ J: ^$ K. J8 \{
F) i z& M- f HANDLE hFile;
7 |, G9 n& m1 J" N% L9 Y8 T5 K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, Y$ R' f1 I% Q1 i
FILE_SHARE_READ | FILE_SHARE_WRITE,$ }, [5 {( C' b7 J7 u3 V! O: A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 f! y# J& r/ A8 D K4 L4 p* e) q
if( hFile != INVALID_HANDLE_VALUE )2 o, c9 O: v1 u4 r- I
{
: ?. Y9 B( l; ]8 v$ H( S CloseHandle(hFile);. h( n9 t! a$ I0 U# w
return TRUE;4 z! q$ i6 Z* F ?$ i
} k* G* u8 N, S" k/ t9 a5 @7 V. p+ Q
return FALSE;4 b0 W5 K$ |8 A% u5 W
}
/ I& p. [9 u3 N* L1 R: z( E2 ?
) x% m3 L0 h: |* q7 m eAlthough this trick calls the CreateFileA function, don't even expect to be! Q$ O7 n( u& H6 X
able to intercept it by installing a IFS hook: it will not work, no way!, d% Q1 }" T' a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 t F& m4 X2 R6 a' x4 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): I7 Y! u' I" b6 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; Y7 }+ l8 e2 z Wfield.
7 l7 s9 E& W0 ], G w+ eIn fact, its purpose is not to load/unload VxDs but only to send a # d( E: S0 c0 A; j0 Z$ L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) z- Z& Y4 ]- R6 F" N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ K/ O$ T& g) ~4 m: g# kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
L3 h7 a- d% L4 q. v( u) m9 m% vIf the VxD is loaded, it will always clear eax and the Carry flag to allow- J0 u- Z! B& p! V/ A! D
its handle to be opened and then, will be detected.
) s$ j5 r5 u3 ^2 fYou can check that simply by hooking Winice.exe control proc entry point3 q- }6 ^* l# C. |/ z& K V
while running MeltICE." c' A0 h/ _8 J8 S' @3 y( K& v9 y
1 Z& F8 q) P, q$ q! \
& n. l0 M- @0 d3 R; F: n 00401067: push 00402025 ; \\.\SICE7 J/ E c! q9 ?
0040106C: call CreateFileA @. _6 s0 I& m2 @" `. @
00401071: cmp eax,-001( l, r! {1 S) J
00401074: je 00401091
6 k" H; w! m. R1 r( `0 ]3 g) k0 Z- e! ?. Z
1 T. u; M4 ]& p0 d, q
There could be hundreds of BPX you could use to detect this trick.9 `1 |5 E' z9 {; H$ Q
-The most classical one is:# r6 K! f8 a' S H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 Q/ ]0 V. I6 n0 b
*(esp->4+4)=='NTIC'" z: ?9 D( ~; P% C* T8 E: n
- j ~! D9 t7 D; i9 G8 Z7 V- `! y
-The most exotic ones (could be very slooooow :-(9 c1 f% ]% r! h* l- Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . s g- U. f7 B" S/ Q
;will break 3 times :-(
( _6 S* b5 ]$ u' b; M" B' G
$ t& A: l0 ?" n+ L0 ~-or (a bit) faster: / r9 b7 f/ p2 k7 q3 m8 P0 p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# L6 F- `: S/ A* k% l/ u
K6 l; K% p8 b c* j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
@$ b; l3 c4 x0 ^9 A3 J ;will break 3 times :-(
?6 {0 X: O4 f4 _: s) i! l0 z! I v; J1 x! m
-Much faster:
* \; p, _3 r) e1 a& x/ _4 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& i1 D& U" u$ J1 C3 n4 E M
8 M8 f9 |, `8 U+ |0 j; W2 @1 ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! R: q B: |" u* l
function to do the same job:$ ^1 P) U4 h# J+ L$ s
; q" l; l) Y7 X+ A6 u& K3 F push 00 ; OF_READ" }1 J3 A, ~" S- W; e
mov eax,[00656634] ; '\\.\SICE',0
6 j2 ?& X+ |+ Z7 J, G' l push eax
4 S2 m. J3 o. T4 P3 E0 L! g call KERNEL32!_lopen
; K9 t0 U" G" w0 C) Z: H inc eax* j! C$ w# s/ M" I' w5 u9 [
jnz 00650589 ; detected
% E2 q. [$ ^* Z0 u3 @ push 00 ; OF_READ9 a7 S# D5 r3 q5 K2 E, J% p) e
mov eax,[00656638] ; '\\.\SICE'
, u' H1 N- S& V push eax
, @) Z; p2 v# \, e% ]: j) p call KERNEL32!_lopen/ p2 v; G3 c2 I2 Y% O. I
inc eax0 L" X1 r! m' ~8 m+ u M
jz 006505ae ; not detected1 _1 I; W% O, c& _! q
- p8 m" Y" N6 B- c1 |+ z+ b- d2 R
* ~6 Q5 n2 N! W1 R1 m o
__________________________________________________________________________6 i* _3 I2 K. w
( \3 m2 v$ Y: c' C. DMethod 125 a" w0 Y; _0 B' \
=========
( C. e8 |+ X% x: A/ x: }- }" f3 d/ P6 f" R# u. O6 n, B* Y
This trick is similar to int41h/4fh Debugger installation check (code 05
: z! U* |( I& I4 [& 06) but very limited because it's only available for Win95/98 (not NT)6 \ `8 O! \) o4 w* F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* L) l" w) Z n- E* W# P
- J e7 ?% M! B3 d- v. y- } push 0000004fh ; function 4fh
8 M7 L% G1 F& l9 d push 002a002ah ; high word specifies which VxD (VWIN32)2 [$ V. n2 z0 r
; low word specifies which service
4 ]4 H4 P! r i, V9 s (VWIN32_Int41Dispatch)' b5 }9 V1 ]$ h, b+ ~; m
call Kernel32!ORD_001 ; VxdCall! x: X) W) o( M! E
cmp ax, 0f386h ; magic number returned by system debuggers* O7 y9 I$ X7 |' C0 ]9 q
jz SoftICE_detected5 n0 w4 q3 M7 m- r" m
S" l6 O6 A8 X5 }0 E# j" x* w
Here again, several ways to detect it:
5 x0 u9 {' _0 o' h2 |& h* n, ^- A) A% H- K( f. H* L
BPINT 41 if ax==4f
8 p( z& p' N) I1 m: \
+ S. v" _5 k4 W s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& ?2 e1 b5 T4 _. _9 a2 }9 H) R* A1 A; B, |/ V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) `8 X o8 c/ v5 M
3 D2 W3 x O$ D+ T! x/ n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- L9 s8 q+ ?5 s0 t+ ?4 G
' I& s: ?( x6 {# g0 j, y' v5 x__________________________________________________________________________1 L8 X5 f# R* H" `3 h3 L; F( I
' @6 ]8 w( M2 H7 M( ^
Method 132 h) J4 M! Z, k9 H1 T/ C
=========( E/ N4 g B9 h2 e7 O) `
6 e Q! Z @" W UNot a real method of detection, but a good way to know if SoftICE is8 U K+ v; I; M+ |) o, B
installed on a computer and to locate its installation directory." I) r$ k+ M. e0 r3 J
It is used by few softs which access the following registry keys (usually #2) :
2 B# G+ m2 B3 A7 A. U. ?8 F) `9 Y. L/ Z. q! O% A9 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& h |4 r3 v+ S7 U* T# o\Uninstall\SoftICE6 l3 R' W* A0 q5 p: o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 Q7 B# y! Z1 G& y- S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ W8 c1 ~4 M" N) S\App Paths\Loader32.Exe: n/ t2 p5 W7 a
; Z% u3 q* K( o1 P. u# V0 E5 t4 H% P* E W- g
Note that some nasty apps could then erase all files from SoftICE directory% W# P$ o$ y. M& _
(I faced that once :-(3 ^$ X6 x" H: T) C* T6 u% c
# r4 E7 K/ K% F+ ]: IUseful breakpoint to detect it:
. Y8 ?: Y5 t ^- C
# E& m @7 {6 X% |" } BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 F* l6 |' S; g, R# j7 e7 _8 d
1 u$ `2 U; D! l! b: ?! c
__________________________________________________________________________# K# W/ E3 V3 a! m# H( d
# ]2 B% e0 N/ f. e0 c7 w2 H+ B
5 l5 y& p/ @( a w4 D% r& ^Method 14
6 o; H8 J1 j; d' D=========* i Z- p, A' r* L4 L
- h. k6 s) A' s' K# J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 @7 H5 R* N0 H; L- [% ?
is to determines whether a debugger is running on your system (ring0 only).
' N( L8 M* v! b6 \, ~3 c
/ [7 @' d, S5 y1 H9 |# W VMMCall Test_Debug_Installed
5 m: Q- Q) \9 {' N1 f- u A7 U je not_installed
3 @5 }+ w' X0 \! q# _
* A5 W$ l m: G1 J0 K/ {% A5 ^0 PThis service just checks a flag.
* h6 P' t' F+ s3 t</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡