<TABLE width=500>% f$ [3 U; E9 |8 n
<TBODY>% l8 M$ k9 H7 Y5 s- E& o6 g
<TR>
- k, o7 h# X$ u5 x: M4 T h0 F<TD><PRE>Method 01 - I ~2 Q' j2 \; |& I U3 M9 J. B
=========/ @4 g8 H5 e4 q* D
4 _8 u; h- }& T; f& A$ z5 [2 w3 |, y
This method of detection of SoftICE (as well as the following one) is
* w) c* d/ m" Q' I% [* Mused by the majority of packers/encryptors found on Internet.4 Y5 w* c/ z/ d
It seeks the signature of BoundsChecker in SoftICE% h* m/ l% b" k# y
1 V! _) h% B! x. j A: c# V
mov ebp, 04243484Bh ; 'BCHK'
i0 b5 u) r2 P mov ax, 04h
' Z0 Y( a" k6 i7 ^6 A' s int 3 8 ]+ b# U9 ~4 v" [1 Z
cmp al,4( ?$ j4 R# |; h3 M) E) h
jnz SoftICE_Detected
) o' O4 q9 B) Q) l: V
3 W- c* E$ o1 B+ l) b1 Q___________________________________________________________________________! p8 u& q( v1 Z$ o0 H4 a' r2 Z' \
3 I7 M I2 _; K5 T% s- h
Method 02
, Z$ w! m- M. Q2 H=========
; C" j- @ V/ d. ] t3 n& T* S- E8 r. Q) s' T. V
Still a method very much used (perhaps the most frequent one). It is used
1 d7 n0 l4 M& X7 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 H7 r2 l( f7 W
or execute SoftICE commands...
! V8 s( x9 e+ e& U+ k/ I! zIt is also used to crash SoftICE and to force it to execute any commands
$ |* x0 w# r' G* K(HBOOT...) :-(( 2 B B. }: v8 J4 _ o( G3 s7 p
5 j+ `6 A3 v+ n, h2 e# JHere is a quick description:
9 h0 g0 y' U2 `! m4 O$ W' v, p-AX = 0910h (Display string in SIce windows)
R* v/ b0 I1 i2 S( G C+ p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 Y- G1 r, j1 J1 a# D- _-AX = 0912h (Get breakpoint infos)9 `% F: a: U U; f, b) D3 S
-AX = 0913h (Set Sice breakpoints)6 b6 \! o4 g. o1 N, L# c
-AX = 0914h (Remove SIce breakoints)( H: r$ V8 ?5 d
+ x! `/ V& G0 Q% V; n0 x* ~
Each time you'll meet this trick, you'll see:
$ C' \$ e4 ^, K7 x-SI = 4647h
( c( F/ c4 H3 g-DI = 4A4Dh: y& u: B+ J" ^
Which are the 'magic values' used by SoftIce.
- |& L5 l( |0 M; X0 OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& L+ |* y5 C m8 `7 T9 m; y2 V [
* o; p: Z' u# X5 C O4 i7 Q" T
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 v! d0 U. {- \
Envelope utility use to protect DOS applications:5 Q4 v/ Q+ u" y3 E! i
$ \# s$ F6 b4 J
# ?, B% g4 @! y) n& _
4C19:0095 MOV AX,0911 ; execute command." {! `/ L5 f; H8 w- D' }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( k9 V, }8 I) c
4C19:009A MOV SI,4647 ; 1st magic value.
0 C& e& u L. q0 w. B+ A4C19:009D MOV DI,4A4D ; 2nd magic value.* X6 B! P8 @9 y/ ]( Z7 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! J$ \; ]4 l, G) [ y7 \; M m9 z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 q# P2 J K t" y4C19:00A4 INC CX
: {& ~/ m; F% R3 P' w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# C+ I9 Z+ F' I2 c4C19:00A8 JB 0095 ; 6 different commands.
5 n- o0 K% S9 }$ Q7 a/ l4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 v* M% K" y1 r6 L3 t
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- ~0 m: k8 |: J# E* Q" ?- V8 @
8 A7 I7 K( G+ L" F! C+ z# _The program will execute 6 different SIce commands located at ds:dx, which
' i V. W; |8 n' F$ l* {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 V$ G3 m' Q U( I3 y
( A; ^8 a) a9 w0 `' u2 w6 B) P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 s0 a6 d. I* [3 J4 o+ d; O___________________________________________________________________________
( c4 O7 t; V- U7 N, s7 E# H) F
; Y+ a3 h0 Q ]0 J4 O5 l7 Z; A
f. Q& m9 k( `& Q$ x& ^Method 03" N5 r8 O* J' x6 B2 H* Y
=========
: V5 ?' o( |7 R$ h% H( o/ D. C V0 Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ @7 b" F+ k/ u(API Get entry point)# l- A q4 \ X* \3 K
6 e8 |9 k) W w* R0 Y2 |2 H8 z# {
) T7 Z% l7 K! F: I7 |# Y Q9 L4 K% { xor di,di! O% K9 l/ e( E
mov es,di
5 J9 _- O4 f5 [+ X mov ax, 1684h 6 ^2 b7 \" C. _
mov bx, 0202h ; VxD ID of winice
3 T* V, m7 M, {! Q: y4 Z4 d8 ` int 2Fh. b! b+ Y3 Z# F, S$ N. m
mov ax, es ; ES:DI -> VxD API entry point' y+ `0 e$ X% R% Y8 G4 \
add ax, di
( |: n4 b& p( v- z1 K: i* F) | test ax,ax
, T4 T# n0 m% B% @" q) d" H+ U; S7 u jnz SoftICE_Detected7 A" Y+ z' @9 f! l
' M+ [3 \, ]% v9 ?4 j$ j
___________________________________________________________________________' i2 a" ?+ M* G$ `
1 ?9 W! B) H: n7 I" `; E3 VMethod 04
2 r& u( Y: n3 J6 n=========# k' w. @- d7 N2 ~# e
' v4 U9 M' d9 a. dMethod identical to the preceding one except that it seeks the ID of SoftICE
) |7 l5 X' ]& _ B/ tGFX VxD.
" Q _& C- \- w7 G. {* S+ I; O4 R- ~* D! k% R
xor di,di7 S! K9 y" Q* p% H8 W. d
mov es,di q8 i! m' r9 I4 U8 g$ E* Y
mov ax, 1684h ~, @4 C k8 r+ y! Y
mov bx, 7a5Fh ; VxD ID of SIWVID
" a. N5 \! M6 \2 _( F* E int 2fh8 B. ^# i+ u. Z) n6 H
mov ax, es ; ES:DI -> VxD API entry point
& U4 l: G: U( l add ax, di& _+ ~' O x. D! o' {1 A; {: h
test ax,ax
0 {! r' R" Z, c6 \: u7 p1 L, F jnz SoftICE_Detected
; P+ G+ ?* D) ~6 z& F' } N, m8 d3 f, o$ B6 m5 R, {% [3 X8 z( d' @4 B
__________________________________________________________________________' ~9 q4 m' M. R: l4 {4 y# }
1 z2 ^. W4 A7 h
' v( |" y+ v2 T ?Method 05
* e {* \0 }$ p6 [8 P3 a9 d0 Y5 p) @$ u- `=========5 Y7 J Y$ E- }* W7 C* B
- C0 Q7 R8 ]( UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 }+ R% g) M; @. Zdebugger. It calls the int 41h, function 4Fh.
8 L) Q3 _, E% b0 z* e9 IThere are several alternatives. 1 l5 b% ~$ z5 V) F' L! k! Y* K
$ d& }: z" H5 T2 m4 p9 ?. EThe following one is the simplest:' ^7 ]- h! [$ n/ E- l
. v+ I8 x2 q5 B/ L mov ax,4fh
# Y" G4 w$ j2 n# Z8 W int 41h: {9 W5 J; M' W0 ?* x% S1 Q, }
cmp ax, 0F3862 l+ b, p7 ~" g6 C$ |
jz SoftICE_detected. p# ?7 k8 G9 }4 R' ~6 q. n- U
6 i& g, M2 W5 b5 p& r/ i) V- U& {' G! H, I+ T% o a% a
Next method as well as the following one are 2 examples from Stone's ] z0 _9 G7 T: }* D5 Q% a
"stn-wid.zip" (www.cracking.net):
& x, @$ v" N! ]9 {: c! \( o% p
' g; q; k( M; T k! o# R mov bx, cs
, n$ Y V' |) Z% P: n @ lea dx, int41handler2
& @' p# f7 v4 t H% a4 [2 \ xchg dx, es:[41h*4]! o) j M* `$ t3 e: p l, @. c* b
xchg bx, es:[41h*4+2]" @! n5 ~* L( c& Z
mov ax,4fh4 X. r" q% i- |+ g
int 41h& X' |7 L+ C9 C" d
xchg dx, es:[41h*4]
, z9 ?- l% _* `- i$ B xchg bx, es:[41h*4+2]
* F6 A) W J/ q& ` cmp ax, 0f386h
0 [! i0 E1 ]* s jz SoftICE_detected
/ H0 a5 ?" w. K! o( i6 j
: T1 T9 P; y7 `* |9 gint41handler2 PROC
. Z j3 }1 U4 _, V iret
X$ F& W, }% f; v4 g7 x5 wint41handler2 ENDP
6 {: k2 J- W/ c. i) b4 l
% T- x( X) K" v3 ~' d* S. Q. c4 k( r8 T7 J& c- A
_________________________________________________________________________& c w9 ]+ D4 h0 j
; w+ O! F( x' S' P, S
* h% H9 p9 H( @+ rMethod 06
! ?$ x6 i4 b) _# @0 j3 f0 }% H* M=========
k- L9 o7 a% l3 M& \+ ^9 L2 m6 q1 p- A
/ L- d \2 I+ ^% q' U, n
2nd method similar to the preceding one but more difficult to detect:9 l/ n4 r' S1 J+ g
4 V3 B0 |6 H! n6 w* s) F" I" D2 {5 G
- e' s* ]9 t; gint41handler PROC
8 h0 y( `& c! |/ k6 y( z6 l/ |. U mov cl,al
5 {( d1 y* L$ }0 a iret, c$ C1 r: q5 G1 Y
int41handler ENDP4 _7 K7 C. F; H6 [2 H: U
, k6 q7 n/ W4 K5 n/ g
1 T: k6 I& n# ~" t, X# j xor ax,ax* t$ _! [& [4 }
mov es,ax% m* R6 v" ~8 P9 J
mov bx, cs
9 B- {& @' Y% G: L0 ]+ y lea dx, int41handler1 ?" H" N* ~" g U- t
xchg dx, es:[41h*4]8 G) e# Z& I! {$ ]! C( l, k2 u
xchg bx, es:[41h*4+2]
% V5 Z+ h' H( }3 @ ]$ } in al, 40h
- i8 N; Q% ]0 x9 d6 G4 R9 E xor cx,cx4 I" @$ x" C; J, X% c& I
int 41h
& B2 W! p! Z" Y, |3 x: U& { xchg dx, es:[41h*4]. K! y2 R- ?- u
xchg bx, es:[41h*4+2]7 @) J/ V1 m& \
cmp cl,al
' S3 Q2 u: C4 ]+ ]' t7 x, e8 k jnz SoftICE_detected( r* N7 j; y- s2 }
5 J p k0 l. q5 H; A" W
_________________________________________________________________________+ \# {# \- Q% j) H
9 I. ?8 I3 n0 P2 X# t1 J6 a5 J
Method 07
/ H4 [) q4 U6 I8 R1 C6 u$ \=========0 O- g' q' R+ E T* x9 B
4 y, v9 t: W1 Q8 y* K: S$ l" [* lMethod of detection of the WinICE handler in the int68h (V86)5 I! B% t( B ~- C! |
; x- `$ U+ ] u
mov ah,43h' x! h# h4 Z' W" V
int 68h
/ B, y' M6 `6 u) P+ R cmp ax,0F386h' J& T0 B1 l3 H% ^
jz SoftICE_Detected
. g; [: t' G1 v A' ]. w
7 k) L& i. _$ _6 g
& Z% Z% C/ P: c$ O2 ?6 D% ?! x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! h# F4 f; m* G
app like this:3 B/ t) T8 B9 V4 j
. q+ m+ v5 W: n7 [2 F. ~+ q BPX exec_int if ax==68: ]" E$ b# r( ~6 i# h0 q4 ]0 \4 b' F8 P
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 j2 E* T/ Q4 E( L. l located at [ebp+48h] for 32Bit apps)
9 W4 s3 a+ v# |# W! P. F4 r' H__________________________________________________________________________8 p. c8 z/ f3 q
3 P0 s0 |# Q3 q' S; f
1 R* g% z( M7 E0 e7 C* z
Method 081 l; A/ ^4 Y( q( W
=========3 M4 X$ Y. A* c& d5 f4 J3 b& U' t
) L+ r' y% `- q
It is not a method of detection of SoftICE but a possibility to crash the
0 g9 c, F$ h7 R* l6 @% |/ Jsystem by intercepting int 01h and int 03h and redirecting them to another
/ h: ]+ X% `( Z7 S! ?* [3 Jroutine.
, p) I# B% f- qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# \$ H- ~6 l2 _4 ^4 {2 W
to the new routine to execute (hangs computer...)
2 G8 B- r) y7 l! o. z( F8 j5 u0 m+ l" g- y7 }# H3 O; q: u! w$ R' {4 i6 [
mov ah, 25h4 J* Y3 R; O" E
mov al, Int_Number (01h or 03h): h/ d% G' w6 r; R4 N6 T
mov dx, offset New_Int_Routine
4 ?& U; M, ^9 e/ f) }& D int 21h/ K$ g+ e, i' U$ f4 V$ I! s
' N. |! t( \ r' e) T2 I% f__________________________________________________________________________. q2 y% [% P- c g7 P
* {( F( Q1 u- E
Method 09* s1 H/ {/ Z( u5 K, f# _
=========
1 t' J& P* X+ E/ S
& Z; |3 C$ }2 z7 e* }- zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 R3 ?- F0 p, |* rperformed in ring0 (VxD or a ring3 app using the VxdCall). k1 j9 \8 Q" _
The Get_DDB service is used to determine whether or not a VxD is installed
- m+ h2 H' u' X& wfor the specified device and returns a Device Description Block (in ecx) for
! ^ v2 }( l" Hthat device if it is installed.' g1 E3 T6 F8 y
$ A3 h( K g* b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 ^/ @ A+ u5 E: y c- E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 n. g2 m y! U9 D4 l+ B: j
VMMCall Get_DDB0 L; U" l6 _6 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) j% `7 N: s4 y4 k* l( K
9 ^' @8 x. o! ~Note as well that you can easily detect this method with SoftICE:
9 {, W5 T- n, ~( N* @. C1 h bpx Get_DDB if ax==0202 || ax==7a5fh
0 m( ]% j7 U) q4 `% A3 M3 ?1 M7 d. x
__________________________________________________________________________, H, f N* \9 h
F1 T, \$ h6 E4 uMethod 10
2 t4 } c2 p% ? w) o" d=========
6 N7 S/ f Y+ G- P% _
, i0 Q& t) l; p# \4 K. v=>Disable or clear breakpoints before using this feature. DO NOT trace with' R8 t, D8 ^5 u3 G0 g9 U5 `/ X
SoftICE while the option is enable!!& c/ m& n* l- t& C9 A1 k5 K5 f" I9 [
! _0 d8 b- ?, o; J# s$ g6 Z' KThis trick is very efficient:
' ^3 n, K; {" v$ Z% y1 {0 \" Nby checking the Debug Registers, you can detect if SoftICE is loaded5 ^+ c7 s4 M6 Q* b$ U2 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ d, R7 N% \- ?% |! othere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 b# h. J( e+ ?, f0 Y) h% bvalue (in ring0 only). Values can be manipulated and or changed as well3 ~" ~8 G8 y0 c- Z) }
(clearing BPMs for instance)
3 S; ]1 z X0 Q; x3 e6 a3 N& R: W: p+ h+ V
__________________________________________________________________________- @* f; Q5 b$ A8 a3 }/ A, w
Q u9 m% T: u3 J. |9 W
Method 11
! K7 h4 r; j' a=========7 v1 j0 ]% }$ n( z. [
2 `! Q; Z1 D7 d# A0 Z( Z3 ]7 t* I
This method is most known as 'MeltICE' because it has been freely distributed: C4 I$ H4 U$ g
via www.winfiles.com. However it was first used by NuMega people to allow2 F: {4 J. W5 f8 m+ g4 G
Symbol Loader to check if SoftICE was active or not (the code is located# l, q+ q9 H9 ^; V8 w5 F' l
inside nmtrans.dll)., Y3 g# h2 ^% T; F' }" p
8 m5 ?; @! w4 [& N' |7 H* kThe way it works is very simple:
& r7 n* u3 u% s, D& h9 fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ M% v" x: p, R3 R6 P. F, |WinNT) with the CreateFileA API.
- n$ J3 i3 ^4 i0 S! L$ u' E9 b; ~$ a( Z. D/ w c5 \
Here is a sample (checking for 'SICE'):5 u! N/ a9 e8 J7 g# r+ ^
& a+ V' P/ _& Q2 ~BOOL IsSoftIce95Loaded()$ H# [1 I7 M- ^ P1 ^
{
: T- F3 h) L9 G8 K HANDLE hFile;
{7 v ^2 I- h" d/ f5 t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) L+ r1 w- a$ H FILE_SHARE_READ | FILE_SHARE_WRITE,3 S0 P8 ?9 O0 X; P9 ?8 N* p6 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! G A: |( x1 i$ c+ D; o8 J
if( hFile != INVALID_HANDLE_VALUE ); j& v, b; M3 p. m3 ]
{
. k( ] }$ l, S) o( L2 } CloseHandle(hFile);
" h! Z4 h; ]% i' E, I, u return TRUE;$ G* @1 H; U- k7 k
}
. T. f+ G3 x3 [" h' N return FALSE;
' w" f1 S* Y5 ^/ s2 o}! X8 x& E) c& q" J
4 w! U8 V* k; IAlthough this trick calls the CreateFileA function, don't even expect to be
% B' Y7 a; ^5 d( X3 ~2 |able to intercept it by installing a IFS hook: it will not work, no way!
9 k. ?0 G$ m) Z/ q; i+ O' hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( W& t( j: t* e8 Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ Q; a) |0 F5 V# T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
c& i3 x: ^- J$ m: u. O3 Ffield.
' H) T* h2 f3 N9 T2 ?In fact, its purpose is not to load/unload VxDs but only to send a 9 n& q7 k% n. o" r) v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) b# D6 }9 Y* |4 v; {1 rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 z2 B. O( |# }& f$ nto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 T" O$ l& q/ I0 o5 S& L
If the VxD is loaded, it will always clear eax and the Carry flag to allow& Z. C0 ^: k' i1 }! w
its handle to be opened and then, will be detected.
1 n/ \4 J3 s* v! \2 X2 K o+ x9 P7 h7 OYou can check that simply by hooking Winice.exe control proc entry point
+ t" g* K+ B6 j7 {! x: F+ ?while running MeltICE.
: x8 K# C! U% b3 _% w
7 H0 v* t7 s4 x9 P% d: T1 B1 c: o8 ~3 k3 b! T! \4 P6 G: v) @% @
00401067: push 00402025 ; \\.\SICE
0 {2 [+ K9 L7 a6 P0 k! a4 ?4 W 0040106C: call CreateFileA
! m C- H3 ]2 @+ N' Q& \- J# E+ Q7 u 00401071: cmp eax,-001# ~) ^ m" D, c+ C) r8 c1 m+ |
00401074: je 00401091" j7 }. J! n/ B
+ {. E F% F' i$ F' I
* O+ G7 V t9 l2 {. D2 ~* R0 kThere could be hundreds of BPX you could use to detect this trick.
* O3 Y8 h$ _6 ~& N1 z-The most classical one is:
2 c) T! F H! f: t) J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. T2 w q0 A w! v; p7 F
*(esp->4+4)=='NTIC'
, n: O* \6 k9 H, I3 a
$ @% D0 ?( f- V5 E _7 n% d/ x-The most exotic ones (could be very slooooow :-(
" O* [1 _! {7 j. K# {8 N. @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
k2 V I6 Z+ y# u8 |5 @' Q, {3 R ;will break 3 times :-(
0 z( r( ?- [# w% k$ S. r* R: E# t5 J- W; F ~# y! x0 t
-or (a bit) faster:
7 e0 [+ |: s1 s2 H. k" N8 Z0 R3 `8 W BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 E6 b- k3 @3 V2 m2 W x' d3 J
4 z/ q' G( v& U6 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 m; U; g$ h3 |6 L
;will break 3 times :-( |% y+ y. H+ E: }8 S
7 ?' |4 A m7 a7 p* C-Much faster:
" b. K- q P; I9 C. ]/ b0 P, G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 X& K' H7 u4 ]3 }% v% ]
$ k, Z. p; _8 _2 i" q9 U8 FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' b: ?+ c. w0 A2 |& K# W: q/ m6 e
function to do the same job:
/ L# j5 J5 Q( r- w+ u* L4 H% t* E+ [5 w- D. J, _, w% J
push 00 ; OF_READ
; d% w+ R. O8 Q* V# x- i mov eax,[00656634] ; '\\.\SICE',0
4 o9 m. J3 o/ x" e push eax
* D* x/ B$ |) |9 A8 H5 }! G' [- A call KERNEL32!_lopen
; j8 a/ f; _# s1 H/ e$ ^ inc eax1 m& M# l( R/ Y
jnz 00650589 ; detected1 h& [, [# ~* a9 |! J! D# a* Q
push 00 ; OF_READ) r+ ]# U) I3 u1 N) t
mov eax,[00656638] ; '\\.\SICE'
, K: H" `1 ?* ^* p% P6 c push eax& h) z. j" n% A0 m+ i. M
call KERNEL32!_lopen) O% l0 U$ M- q* T: _
inc eax/ w$ S7 c* V2 ^! K
jz 006505ae ; not detected# |- V; h' z: W* m# \6 p" O
+ S4 A' P8 M0 a
1 i' ], J; I" [
__________________________________________________________________________
& O9 `: m$ k. c4 D
7 E$ o! \& g! Y# K+ p- yMethod 12
' R g3 t% Q) G$ O- @) @: W& e/ s& \=========- B* c+ R3 x- ]: R
: n. s/ h/ _% M8 h
This trick is similar to int41h/4fh Debugger installation check (code 05
Q5 ~% P3 ~ R3 r7 H) u8 |& 06) but very limited because it's only available for Win95/98 (not NT)
, n5 G& c" r" ]7 ^7 T8 Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) `8 G7 ^8 ?8 p. t( N( e M( t
4 }7 ^2 n: N# u) |8 a push 0000004fh ; function 4fh
o7 e( ~8 b* G% b; ^% k push 002a002ah ; high word specifies which VxD (VWIN32)+ N* i4 |( i" P# d
; low word specifies which service" ? @- K2 R. T6 A' F' K5 @* h
(VWIN32_Int41Dispatch) c1 S9 X6 g' T4 i4 Q- r
call Kernel32!ORD_001 ; VxdCall9 f$ h3 E8 x% S, h/ x
cmp ax, 0f386h ; magic number returned by system debuggers
) c h5 z$ ~) n0 p8 J1 j+ f8 F9 g jz SoftICE_detected% h% n2 P; x; }1 l* A6 U) F2 y
* m/ U5 D3 x m, Q! q
Here again, several ways to detect it:5 i$ X, ]3 H/ r z
3 {+ v' e/ Z: H' b* }$ g2 J BPINT 41 if ax==4f
2 {& H# I$ d+ o5 k. H. G6 r3 u
) I9 t5 x8 w9 s" P: d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 l1 ~$ N- n6 w- Z8 C% u V3 b$ G4 b' w0 Y9 @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
U" a; q$ y, A: K
5 O# q3 I3 }9 n# M2 Y @7 r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 G; }; j" l4 `* H: p
0 |- @- b4 n5 ]' A1 E3 O @__________________________________________________________________________
' n+ s( h6 \. }; M
7 V' h9 N3 Y" R9 sMethod 13
* A: Y' I( j y! T3 v, o1 K=========
& J B: Z" p/ M
9 W. p" v' r4 v; p& m2 [Not a real method of detection, but a good way to know if SoftICE is9 t6 _( y! x9 b0 }3 S
installed on a computer and to locate its installation directory.
9 l; r( U0 L) O) ~It is used by few softs which access the following registry keys (usually #2) :
" B7 j8 V" \3 Q8 K# ?! j
6 F- B$ {4 ?- A: K. E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% i( e/ H1 M9 |# |' O. D6 d\Uninstall\SoftICE& R1 Z: R' k# Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* u) b+ D* {# y. U9 P$ W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' p$ O" d+ H) Z. o% O( [1 \/ ?
\App Paths\Loader32.Exe
6 i+ F7 J; m/ u6 ~ \
9 ^3 [% `$ i; ?4 s6 x6 I+ K2 e0 B) ?( Q9 q
Note that some nasty apps could then erase all files from SoftICE directory
7 `5 w, J4 Z+ F! y9 V( i" j(I faced that once :-(
}$ `! ?& T; B1 B- T, K) v2 P
& w4 x6 y N& `! a9 G, ?$ n6 dUseful breakpoint to detect it:, }! i2 b- {# d( {6 p* x' g
2 U) C( F/ I/ o9 C7 X6 ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 `+ A; D% U9 ~2 p+ B1 ]: ?4 h) p- N! p! s$ Z" L
__________________________________________________________________________
: a: x' r- t" X0 `0 j z
8 h4 k. E1 q( L0 b4 J5 i. V& C0 M; |0 K, j8 I& o& b
Method 14
& d9 w# L: g! `% Y2 [: _; g=========* S4 D& l! @' @' J# c$ J
# u- y$ \1 s$ E t" Y8 \ e0 B( ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: l" d4 \( |& w& v. \is to determines whether a debugger is running on your system (ring0 only).! _3 j5 H6 ^+ E# t+ k* M
+ G1 c/ U7 p+ e3 H
VMMCall Test_Debug_Installed
3 Z. H B) f0 W' h2 O1 [ je not_installed4 E q4 f( n7 b2 g' `* U. S
- y" G" x! J( }
This service just checks a flag.
% n7 n0 \: c: K* ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡