<TABLE width=500># r5 d' Y* k" h" o. `6 K+ U
<TBODY>1 M, P1 x8 m9 h/ b$ u9 Y3 Q9 I/ H
<TR>9 u# d& k, ]. @9 I# G0 M: L
<TD><PRE>Method 01 + B ^. `8 J5 s& @: ~
=========
6 U0 {& o4 K0 J" S/ w( T8 h, Y' Y" E O7 x2 ^
This method of detection of SoftICE (as well as the following one) is
- }8 O4 P i+ R2 w7 B$ P/ tused by the majority of packers/encryptors found on Internet.
) o" N' y0 e4 I1 n/ Q; k, c tIt seeks the signature of BoundsChecker in SoftICE
2 F6 q' i+ I; e0 {$ ?
& v' M- ?. _$ D x- J* J7 M mov ebp, 04243484Bh ; 'BCHK'
1 ?5 Q& D. ~/ I% b X mov ax, 04h
' ^3 p- P# E/ L2 M int 3 7 O8 c! X3 R: B9 S5 B
cmp al,4, {0 Z$ {( z2 M% B" X$ Y/ h
jnz SoftICE_Detected
& F' e) M! U# ?) D9 _* Q! k2 d2 S5 M2 \8 X2 U# S) H1 G' m
___________________________________________________________________________
* n1 F% V+ \/ T7 ^7 r: s" x! G: X9 e, I% ?+ ]7 y6 L
Method 02& m7 ?. ~5 T1 \; d# Y; s
=========
; e. G; w; m: @/ z. U) f5 q) t J' N
# i- K+ `2 d/ W8 ^Still a method very much used (perhaps the most frequent one). It is used
% C' \; b9 _% E4 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" Z5 N8 q8 H+ n, Cor execute SoftICE commands...; Y9 g; ~ e; I' t/ o& |
It is also used to crash SoftICE and to force it to execute any commands
: y; x- a+ K$ x+ H% K; Z(HBOOT...) :-(( 9 b3 v" W$ S# W7 E
- V2 D3 `' t3 m" G! D. N* D: b
Here is a quick description:
* o9 N& ?/ u. y8 W& ?. L-AX = 0910h (Display string in SIce windows)
$ P( r- A" x$ u2 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& T& @+ c, r& G+ Q% f: i-AX = 0912h (Get breakpoint infos)# t6 q/ }1 F( h. m, w
-AX = 0913h (Set Sice breakpoints)
4 Y1 \( s/ p: ]7 E; _) g/ j3 D-AX = 0914h (Remove SIce breakoints)
) ~ L. s8 j |" v3 l. _. M" ^2 z9 R/ N
Each time you'll meet this trick, you'll see:( F# t, w& k* ~
-SI = 4647h
3 L6 S7 M3 U* z* r( u& v-DI = 4A4Dh! Z2 N- Z) {5 T: \9 T5 O6 `
Which are the 'magic values' used by SoftIce.- B' x' U6 f$ D7 T1 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
k* d8 n A" R8 E0 y# m3 N% S4 J% R" X+ a" E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 r/ ?2 D8 n: b) pEnvelope utility use to protect DOS applications:! x# k1 s; G7 z+ \* u
l D$ C+ p9 I; z2 d! y( F1 J( w+ k4 {7 f1 x3 D( O, M
4C19:0095 MOV AX,0911 ; execute command.
% S* s( O1 k4 F" G& a( k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 z0 _7 K. ^9 Y' `6 P& t$ k
4C19:009A MOV SI,4647 ; 1st magic value.3 ^; j* e, A' [4 s; V* X3 d' C$ o. a
4C19:009D MOV DI,4A4D ; 2nd magic value.# D' t0 Q% m7 {9 a) Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); D- k. i9 E1 j8 N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: [8 m. g' u6 K9 b; s
4C19:00A4 INC CX
# J- r2 E! b6 x: ~3 p3 Y* n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# T! p3 ^% h- B: \4C19:00A8 JB 0095 ; 6 different commands.4 b: _. g4 r3 \& _0 a% H+ x
4C19:00AA JMP 0002 ; Bad_Guy jmp back." G9 L1 W5 x; v3 j4 U* c" P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) w* A2 ~0 L( r: ]5 S5 w6 B( n5 j1 n- i
. U- S' f8 g5 J
The program will execute 6 different SIce commands located at ds:dx, which
* ?9 u' w: V6 u. _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) z3 m8 m& d& n% q3 N) k; L$ U( h7 V3 C! o4 |) u/ h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; d0 p% Q7 }7 E$ G6 M* _1 v
___________________________________________________________________________7 D( m, {/ P! u2 g* ?4 e
) C$ l# t4 |* j, T. ~
0 d# y% E2 ~, m1 A
Method 035 W% [* V T: H) g: r7 \, p4 W8 \5 a
=========
/ w# }# \/ I: u y: J
. T" q7 u: K. b: YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" |9 X M8 I X" [
(API Get entry point)
0 w- U* N! t) \! |( ~
8 t8 ^: T# Y6 l8 l8 E8 e
+ {0 D9 ^- z5 s# d5 k7 b xor di,di
0 D3 w2 J& V) _9 b mov es,di3 L) B u7 h& `3 y9 p+ B
mov ax, 1684h
! K9 k! b9 H) i |9 p. r9 s mov bx, 0202h ; VxD ID of winice
; U% F: ]% u" k2 V) Z* G, L- ] int 2Fh- o" w6 X4 t( Q, s, T
mov ax, es ; ES:DI -> VxD API entry point
6 O) d# p+ _( |& `/ g4 ^0 ^ add ax, di+ F# O# d7 o, ?7 D+ }2 }
test ax,ax2 b0 d \8 S2 Q$ O% E
jnz SoftICE_Detected1 l+ |3 F2 m; X( ~9 A, R# @2 K1 d
! O7 a1 R* I, z; Y7 ~2 ~( h
___________________________________________________________________________
2 d1 ]7 g0 \: ^3 s* V6 o) L+ ^
- ?/ v$ ~7 B8 G6 n4 [$ G9 mMethod 04: w6 J- F' {0 I Q: U
=========$ t( z& S+ U; H5 [; A. L0 ] `
7 r$ o% l% [( q ]1 k
Method identical to the preceding one except that it seeks the ID of SoftICE
9 f6 Z0 c e2 u; ZGFX VxD.$ i$ Z3 T/ d5 P# w7 s
: P, g' j' U4 S B
xor di,di- f7 }! t, V6 l+ m- g
mov es,di9 d% |6 d% a9 |# E
mov ax, 1684h
! q* s9 u/ x' ?( m9 v mov bx, 7a5Fh ; VxD ID of SIWVID
& ^7 z- K" L. m int 2fh6 ]$ s. T% l, e4 D; x
mov ax, es ; ES:DI -> VxD API entry point; h0 B/ r, }5 ?7 g
add ax, di
3 K: Y2 c( Z' ]# x test ax,ax
8 d* R+ q+ t5 _) B9 E6 T jnz SoftICE_Detected6 `' T9 y, ^1 s# w& ?
1 W3 _4 y( u8 n( [: O" ^" t3 t__________________________________________________________________________& v" T5 r9 G& Z. {8 ?1 W. k; d
% w: E$ o$ [2 D* L% }# t9 @: C7 Z$ Z( r$ g6 a- _# N$ C
Method 05
8 l4 E& P! _* d2 o) {& S=========& l% c$ ], _* p! K6 }% t$ @' x
' u" a- k! w0 ]. c6 o0 |# D1 UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ I: E( J* K& i2 f, v/ l/ tdebugger. It calls the int 41h, function 4Fh.
+ N1 N9 g5 V9 J# _& o, mThere are several alternatives. 3 k( _: Q, F- F- o
8 ~* J7 }: g4 Z! c, T' r) F1 W( I% }The following one is the simplest:2 e6 W6 h& R F3 ^3 X0 \
% q/ l& w( g$ i$ w mov ax,4fh' Z4 U0 r" L: F$ o
int 41h/ l9 m1 I" G7 C# o/ }
cmp ax, 0F3868 n3 U% [+ {9 y6 u5 T$ k, [
jz SoftICE_detected
# {$ Z- b% f9 l4 L: r5 `7 R1 l: U. h2 f/ \! w
5 I+ l! h) k7 _: H0 T; @/ E
Next method as well as the following one are 2 examples from Stone's 8 Y3 {6 s( Y( ?- C5 ~% J
"stn-wid.zip" (www.cracking.net):
5 w! M% {0 [" i9 M; D( W* _) ]& n
mov bx, cs0 ~0 |$ o7 r b3 U' W
lea dx, int41handler2- w7 \6 Z; s0 Q. X7 z3 e6 n' a. U
xchg dx, es:[41h*4]
; d2 D9 r- ^& `3 e, Y xchg bx, es:[41h*4+2]
8 _+ i& L9 @6 n: R7 s mov ax,4fh+ e% D) j9 i4 T" e/ ]9 ^- I
int 41h
2 n2 g1 t# [( l) D# q: B xchg dx, es:[41h*4]+ B# O, n7 e8 d9 Y1 j
xchg bx, es:[41h*4+2]) ^' c* f7 y! q2 I+ ^( h0 G
cmp ax, 0f386h: m) H2 R0 l+ U' r% c2 U/ y2 L
jz SoftICE_detected
L- Z+ @: N1 y5 n8 n' b' ^0 y& d" o0 `" }/ l$ p) v
int41handler2 PROC
" p5 C& p( U. _, F p iret$ N9 ^. m# ~# X/ X! x8 ?6 Z
int41handler2 ENDP3 Q9 p. X/ K2 s9 W1 v8 r
) }: \; r7 R$ f3 r7 J' e r# D3 C# I! _4 W! c0 g6 i
_________________________________________________________________________7 X" w) b! R2 x) _( ~
' t3 I/ R9 E: f8 `
) ], h2 \- A: G3 I
Method 062 t) L# J d) ^( h2 _& N
=========) V6 A" }( u$ b
, c0 i0 d! F5 g; g) f# N) f
, }# z2 y: Y \- }: }
2nd method similar to the preceding one but more difficult to detect:2 w f( I; v3 m$ T
; k; t" Y2 m" S; r! n2 q, r/ m
4 }3 x/ P' }" B0 \& Z- uint41handler PROC0 o$ ~, y, `+ } ~
mov cl,al
' \, N. P O( R; N$ b7 g# ]# }4 Z iret2 e6 Q W; P4 }
int41handler ENDP' W% R9 B/ F t8 J. z0 L3 ?
' b/ }, N# V b0 X: Z- k
! Z y, k. R4 Y5 D
xor ax,ax
3 M" ]4 r. u) l mov es,ax: [( { B: D. ~3 \9 ]
mov bx, cs
2 Z: q6 O1 y, I0 A# O- j. |: j8 T- p# n lea dx, int41handler' ^2 f' e- y. ^2 [2 \
xchg dx, es:[41h*4]7 J! J: i. W! `3 e g: B% s
xchg bx, es:[41h*4+2]
7 i$ [( ^' E( x) N( f$ w: b in al, 40h4 V' y% M" n1 M/ ]! r2 W! @
xor cx,cx
; B" P3 {" ^' x m' ^ int 41h
0 L2 }* p% q& M4 d. j: G xchg dx, es:[41h*4]8 r S# }" U, x2 Y0 S
xchg bx, es:[41h*4+2]& B$ v% D2 u$ j n
cmp cl,al. h" F' X- l7 z C# k" e
jnz SoftICE_detected& v/ I q8 E% q# b% x R& f
3 m6 @* D$ A) C9 M0 k5 u& _# r_________________________________________________________________________
3 {& W0 \+ _+ w6 d5 {/ _6 Q5 i
6 U7 [: B/ r$ G rMethod 07
5 q/ z A: M2 Q1 r. z& X7 ~& L! X=========, ]& E2 o& m) z; P9 A* l
, j1 R- M9 { M2 ZMethod of detection of the WinICE handler in the int68h (V86)1 C* @& R% p+ x
+ ] T; R0 e! b- d7 d
mov ah,43h. M; R4 T& f2 Y: v# @4 \# N
int 68h
2 `1 |' P4 }5 H cmp ax,0F386h& v4 t) @8 y' o, Z- G! J3 b* T% }
jz SoftICE_Detected% ]9 x. m7 ?, A E |
: |; V% A! l! j, n
0 b r# w* @4 V- @7 `. J9 _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# n2 A9 s# ^. l# r0 Z/ Q9 ?+ a
app like this:
- C4 K, m: t* b/ `- x! c) t1 O! ^
BPX exec_int if ax==68
- e4 N* Y" [6 p! j (function called is located at byte ptr [ebp+1Dh] and client eip is( K" X# N" L& D. K5 c
located at [ebp+48h] for 32Bit apps). d: W& Y: d: P1 r! z* W! h6 D
__________________________________________________________________________
$ r+ }% i9 Z; @& P' D: l7 N. g$ r$ ^
4 [1 F9 N5 [+ R3 r6 ~9 [( GMethod 08* N$ z* {1 T2 v6 g9 S
=========$ N) h" s3 V: d$ s3 u5 [* M1 P
4 u) M- M3 d5 a6 g# I
It is not a method of detection of SoftICE but a possibility to crash the
2 ?# h7 Z( C( X8 Q; h; t$ b7 Ksystem by intercepting int 01h and int 03h and redirecting them to another
; T: S1 E# J; h- yroutine." b2 k- D3 R3 X7 c% o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. i/ ~9 W0 o7 g2 ] P# w
to the new routine to execute (hangs computer...)
{7 a3 J/ \, a) b, \( {3 b/ [( N9 K4 l5 W) f- ^
mov ah, 25h) u; O+ Z3 ]) x" Q
mov al, Int_Number (01h or 03h)6 \) d& X5 y7 Y/ F5 X2 R
mov dx, offset New_Int_Routine
% x1 Q. n# C: q& o6 U* K8 m int 21h
. s- m; t5 o- K) f+ Y8 }# ]& w
; Z3 k) T, R7 i% u3 G__________________________________________________________________________' q5 I; i* Q$ _+ s
' N3 X( d, `# K6 W
Method 09- ~% |" o) v5 ]/ z
=========
" z9 N. W/ h1 q( R( ^% \! ~7 n# ]+ S$ l/ l. d0 M; ~( u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 z9 ^5 c5 A2 h c9 Z4 e& S/ |performed in ring0 (VxD or a ring3 app using the VxdCall).$ M+ E9 _0 G' t, @6 L5 @
The Get_DDB service is used to determine whether or not a VxD is installed$ Z) x# }8 X) w8 g$ ?
for the specified device and returns a Device Description Block (in ecx) for
9 w+ x' I6 Q! t7 q6 T- b) W5 Nthat device if it is installed.- A# i( o( x! y4 g
! J% E1 `, }" x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* q- V4 A5 H# t! E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 U4 ?5 u* H8 a2 \) v5 b0 n
VMMCall Get_DDB% R3 u+ p% B9 i6 }! P8 _4 l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ W3 z8 M( U$ \+ U3 ^
6 R. a! i# j; b! |5 f* g9 CNote as well that you can easily detect this method with SoftICE:: W3 k0 `2 t( E# v& M' J0 _( m
bpx Get_DDB if ax==0202 || ax==7a5fh$ X! ]6 |9 x2 A# T: r; t& r
5 N: Y; G" ]+ ]5 o Q% A+ \
__________________________________________________________________________, h6 x6 e$ T6 x+ g2 u6 [4 A
( I3 U: t1 J6 Q9 D
Method 104 {' q; U2 r: j, c
=========
6 W. _8 _2 }( r$ Z% E% z. ~3 K8 p2 y5 E/ W2 [) U; M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ _/ i/ g1 i- m/ Q SoftICE while the option is enable!!5 p9 d2 ^1 ?# A' v7 u* y: g( o, x
0 H: k2 p8 K$ B! ~8 G; Z( X; lThis trick is very efficient:9 x' [6 K8 D ]& `0 V
by checking the Debug Registers, you can detect if SoftICE is loaded
8 b7 V. a0 d! Z. Y# w* Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ S9 z9 L1 N0 mthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 p* d4 i8 {7 \
value (in ring0 only). Values can be manipulated and or changed as well& L2 V" N; @0 D+ Q% K. w
(clearing BPMs for instance)
2 M( [2 m1 n& H; ^. @- ]3 p; j t4 c' E% ]
__________________________________________________________________________8 p' n4 y! A$ `! l
( v! P$ w# |& z$ }3 kMethod 11- O X! G2 R# b; Y5 \9 _5 N
=========
! ^) J/ t* F* g& Y9 y! b# O2 y& ^! J& l( s& m' t( C
This method is most known as 'MeltICE' because it has been freely distributed
% u/ }) x2 q4 qvia www.winfiles.com. However it was first used by NuMega people to allow
* s: \3 |+ C6 qSymbol Loader to check if SoftICE was active or not (the code is located- z2 p3 I4 c% z: v/ P
inside nmtrans.dll).% d6 x' \( D. A" r" J
4 m) B6 V* U8 J* V u! ~The way it works is very simple:
1 N b/ i. q5 u0 x, i, WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 q3 C& y- ~, z3 D8 Z& Z) ]; h
WinNT) with the CreateFileA API.5 ^4 I$ o. ^. I+ J& | V# j
: `+ M% v: z& [* K+ OHere is a sample (checking for 'SICE'):
4 Z% f, t7 K& D* l$ Y* I
& F8 Z* r4 z1 ^BOOL IsSoftIce95Loaded()/ E* a' D& e- x/ N) g4 m
{
, n" e+ o! W+ m! v5 z: g HANDLE hFile;
4 e/ Z8 \; b% R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, `; a7 F! n/ t9 `# W$ p
FILE_SHARE_READ | FILE_SHARE_WRITE,; F6 ^0 h; i3 x5 G6 S/ t. n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! G* s, m$ R( D) c, h( J
if( hFile != INVALID_HANDLE_VALUE )$ Z( x* j. j( k
{- t" ]! V0 i9 \* P
CloseHandle(hFile);
! B6 j! Q9 B+ r9 I# q i8 E! x8 Y) X return TRUE;% |: b# H8 A& H: Y
}7 {+ K( z# c% b, B. O* R& Z
return FALSE;
8 h! t" G3 o& y' y6 R}; x. C! [" E% ^1 k: O$ _
* W' `' K' E/ g5 Z; A$ x2 }Although this trick calls the CreateFileA function, don't even expect to be
# J ] Z0 @9 l3 }* S- `' rable to intercept it by installing a IFS hook: it will not work, no way!# D0 Q/ l) K% f8 E4 a' r: y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; k) Z% ?" y- Z* gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) J! ]: D/ Y8 h4 X y. M# t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 k7 q3 P) H% p6 k3 B) c# N6 H4 M
field.
. J, }7 `3 \* h& Z G5 H, MIn fact, its purpose is not to load/unload VxDs but only to send a . g$ T8 j1 g8 H8 \& A7 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 l5 Y4 Q# t, r, A7 A1 hto the VxD Control_Dispatch proc (how the hell a shareware soft could try! l. X% O* I9 P* c+ {! [6 \: Z4 y+ V: f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 _5 \, V, w' B$ CIf the VxD is loaded, it will always clear eax and the Carry flag to allow; l1 k. u2 Q$ `
its handle to be opened and then, will be detected.
& v- y4 J6 Z9 t$ p9 i& q! C! xYou can check that simply by hooking Winice.exe control proc entry point
0 e, y. m/ C3 e0 l. Vwhile running MeltICE.0 B- Q/ {2 a1 f. v
7 I! @$ I) v. |/ ?8 [2 E3 u
3 S9 \( s) \# V 00401067: push 00402025 ; \\.\SICE
6 t" Y$ E$ @# b 0040106C: call CreateFileA
4 J e$ s# }: ]3 ~% Q! F 00401071: cmp eax,-001, _/ A( ]; Q* A; ~
00401074: je 00401091
, t$ E6 Z5 b& P' j8 D, [! D+ C' }0 b& i0 h, X/ ]9 S
' d3 \+ a5 v# N( {8 @' }" j
There could be hundreds of BPX you could use to detect this trick.+ v5 F$ h; e2 r8 g
-The most classical one is:/ E( R6 d- d% n8 T1 Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ G$ o, t" U7 ~0 b1 e4 y
*(esp->4+4)=='NTIC'- T/ k- u% F1 d: o
) `1 ?" h; A3 C
-The most exotic ones (could be very slooooow :-(
7 l+ I9 R' u! v) @8 D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: b+ V- ]. Y* ]3 _0 W ;will break 3 times :-(
4 A- [& O: F1 ?3 j2 S$ b: P( J) d9 U, K* n2 R O
-or (a bit) faster:
6 h9 |0 E& h- p2 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 y: _$ o! u: i7 y; z3 C
. z* L7 l! v! C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 j# K" B/ C8 t1 ]6 g8 u8 o
;will break 3 times :-(
* ]3 }8 _/ @! `$ v. i5 T
: m5 n( O# X% V" d2 C0 j-Much faster:
5 t+ F- H' z8 B: | _3 Y! B- r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 a* L- H1 r3 N- [6 o3 m; {' Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ n2 w3 U' J1 ]function to do the same job:
' l, ^9 K: t/ t) r$ \. [
0 T; k. W: U; ?- W0 P! ]. { push 00 ; OF_READ$ k; u* P% v3 y4 C8 b8 ]
mov eax,[00656634] ; '\\.\SICE',0% i* H$ s5 k8 Z4 q: B
push eax9 Q; f5 N0 w) P3 T
call KERNEL32!_lopen2 }. ]3 z- t; {0 f: P" y) T: [
inc eax
5 a+ D# [7 A/ p' e* \1 M jnz 00650589 ; detected
8 I/ Z' K+ C+ i7 k% z- T$ H push 00 ; OF_READ4 q7 {7 c4 ]. ?
mov eax,[00656638] ; '\\.\SICE'9 U- W6 Q& E$ @: W8 Y" {
push eax& r t5 m& W$ i6 J1 H2 n
call KERNEL32!_lopen
* r) V1 T7 k% y( N- d, D; q/ C inc eax
1 `* q0 A8 X' T$ @ B: X$ @+ { jz 006505ae ; not detected
% v$ k1 k a9 p/ b& K# h
" R4 K. d) W7 i# X+ Q1 @# I* S6 k& i& z: d
__________________________________________________________________________7 R: Y( ]8 W/ l% ]% T H) D
. j d% Q- x( R" g
Method 12
" j* }; m4 U. B: B. H( T$ n=========# R! k' b7 T" A; G
- `0 u3 y' Z+ q% e; v5 B# HThis trick is similar to int41h/4fh Debugger installation check (code 05
* n5 k" K) t3 b/ H& 06) but very limited because it's only available for Win95/98 (not NT)) ^( I( G7 I0 r: [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- X% ?" b- x6 L1 f8 g/ f
) H( V. Y1 Q3 h @
push 0000004fh ; function 4fh
& q$ h. z3 G" h push 002a002ah ; high word specifies which VxD (VWIN32)
+ `/ i9 b h# @ ; low word specifies which service
, A, e0 U6 R( _2 B, ~8 e (VWIN32_Int41Dispatch)6 l0 I' p3 V3 s1 m4 v9 x
call Kernel32!ORD_001 ; VxdCall
/ B% s# x, T2 z7 B2 e cmp ax, 0f386h ; magic number returned by system debuggers, u5 g6 F- Q7 e
jz SoftICE_detected7 W) T) c1 b) {0 _2 W( r/ k" s8 `! B5 b
3 ]; @: `3 N* [: X! Y- U6 B; A7 B7 ^
Here again, several ways to detect it:
$ r$ Y) C5 ^, r" f, N
- X4 c) ]! y" ?4 ~* s a+ G BPINT 41 if ax==4f
' i. C: J) D( A7 B! U
0 C( d- {+ W- h6 V% e/ P2 P, I# _0 C, d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 Q" j1 }- ?; }( Y& F9 D4 [, r i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 ~) F$ z- X9 ~7 R2 E
, ~! E3 c1 q7 F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% k5 ]+ R3 h8 D# k" z/ k5 L/ ?. a$ |0 L8 H; ^
__________________________________________________________________________
0 J& x" V9 E, E) t8 Z
: V- ^1 S4 k6 d$ U/ v* H& B YMethod 13# x$ p& e& x3 k. u1 l$ c! |
=========* U6 p# S8 O# Y# [; {3 W; o
9 Q* r0 w( g+ I3 [ KNot a real method of detection, but a good way to know if SoftICE is' m$ }8 j" p. j& Q+ B
installed on a computer and to locate its installation directory.
3 E) _# C0 E5 H, j, w' W7 TIt is used by few softs which access the following registry keys (usually #2) :
d4 Y1 Q! W+ x/ u8 L& J7 P& @
s! G4 r3 S# ~, a: k/ h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# r: Z u& Q+ ]+ `\Uninstall\SoftICE
& f# a& G3 u( n# a7 H/ |' ^3 d6 @$ N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 | R+ V, d- H+ r! h. X( B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 \: N5 m, y, s1 U1 G! s
\App Paths\Loader32.Exe) a. D, d/ H+ o0 h* V- L' \: \
4 C0 [/ @. i# Z1 ?( r7 m
9 \" A8 ?7 i# L/ NNote that some nasty apps could then erase all files from SoftICE directory
0 f$ @' L C4 T2 N(I faced that once :-(
0 l; C/ C+ a" s; B9 [) U" S# y1 K4 y- t# P% q! [
Useful breakpoint to detect it:
. |7 a: b( V/ e; I1 @
+ `( N5 ^5 g& X1 E. \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 i# |" r% }$ g* B
& Y0 G. M8 }. w! P* w__________________________________________________________________________! c+ s% F6 n# A1 j2 ^% L
|, |% v- G6 L( h
- _- I7 @' g0 r8 b, A) h. x& ?Method 14 & Q# F* o9 j3 ~* Q
=========9 j+ ^) O" p) Q; k$ B( L, V
: {9 M* e- l" v/ W/ `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" j% K/ k4 g( x6 _* f. `
is to determines whether a debugger is running on your system (ring0 only).; C/ i3 Y$ B+ e( W1 p+ C
& G: k8 k) f8 l" I) q" n5 ` VMMCall Test_Debug_Installed
2 x# b( t- k' K9 q6 K5 Y2 z je not_installed6 y1 Z f. X1 h
4 _6 r) U. G. A! n$ F/ z
This service just checks a flag.
7 J f7 I0 V! k) Q; U, k( I/ `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡