<TABLE width=500>3 f& }4 m* {$ K. B7 H
<TBODY>9 b+ ]$ m, u! t7 \3 L- ~' u k
<TR>0 h' G- @7 |8 k2 ]! f+ k( Y
<TD><PRE>Method 01 5 ]5 `1 |6 S) i5 {8 t- M; N
=========. S6 X& q# \) h& s
% v/ x+ \ d" Q, R! A2 ?This method of detection of SoftICE (as well as the following one) is
) X3 Z- X) J0 w; f E, f8 ^used by the majority of packers/encryptors found on Internet.. j* C1 D6 R7 ^' t
It seeks the signature of BoundsChecker in SoftICE4 _6 U1 Z3 d* e8 i
' m& ~# s8 {! k) Y G
mov ebp, 04243484Bh ; 'BCHK'& g8 O8 G2 `/ u% w! s9 I, n. z( k
mov ax, 04h, ~+ M8 V. J* C
int 3 - ?( F' X( V+ B* o
cmp al,4
& O% i* ]# ^; q7 g: {7 p jnz SoftICE_Detected
3 Z4 j9 a7 ]( S) s' A# g
: Y; d: k7 }7 v5 {___________________________________________________________________________) R% a( e' U. x' s' C7 | s
* S# Y# p$ U3 F. y7 |# h0 r9 O1 Y
Method 02
8 Q/ _1 d W2 z$ S=========
; C& ]$ ]- i- }: u5 U# [# O! G5 r7 b9 D" T. X9 R
Still a method very much used (perhaps the most frequent one). It is used/ {) z7 l K4 t1 `- d! k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 j1 T/ f3 ?& m! s, N+ k* @
or execute SoftICE commands...' {8 U% F8 K2 s* Z
It is also used to crash SoftICE and to force it to execute any commands
: x1 q! R, u5 ]; A/ A s- M(HBOOT...) :-(( 1 g* R% ?+ i+ e1 x( ]
! m- s8 b( i8 H- k4 D4 G* AHere is a quick description:
& b1 @/ T4 |8 P! d" k; x- G-AX = 0910h (Display string in SIce windows)' u1 w/ v3 A* t; r; i; L& _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! Y# N y2 H! W2 j3 D* U: L; G+ [
-AX = 0912h (Get breakpoint infos)- X! L& S* S, [0 x
-AX = 0913h (Set Sice breakpoints)
; s+ H+ L) d) O+ t2 J5 F6 D-AX = 0914h (Remove SIce breakoints)8 x& F: Y: V5 {2 c3 g' [
7 b7 V- G& p% r/ O. v
Each time you'll meet this trick, you'll see:$ H3 [3 F3 D) a' n; V. r. Z
-SI = 4647h/ W& ?5 z/ W1 m/ J
-DI = 4A4Dh) g7 _5 x' l( p# j
Which are the 'magic values' used by SoftIce.# q, i( @0 Z% v6 N: n9 B6 g) \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! f$ n) L4 h7 V+ \* Q4 u/ Z- y
" I0 W7 O7 ?! q: x: _' y5 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP X0 R% @5 \1 ~* \, _2 f
Envelope utility use to protect DOS applications:: |; j; B- z& ?7 V6 E0 [( g* @
( Y$ M$ V( K. v* U2 w/ \
2 _1 _7 |0 v. j+ {6 y ]6 A
4C19:0095 MOV AX,0911 ; execute command.) f; m, I5 @6 Y& G. B! f% `) g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., u4 q: H# v5 l) v
4C19:009A MOV SI,4647 ; 1st magic value.8 T8 ^" v! Q% c# r t7 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
- s; B0 ^$ r8 }) U# q+ A5 U- g0 g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 l3 |) }- L& U4 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( `( I5 [4 g& W! b7 i7 u4C19:00A4 INC CX
) ]1 L: u9 }$ r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" {9 r5 l- E% n* K T8 O' ^& l4C19:00A8 JB 0095 ; 6 different commands.) o! R# j8 ]$ M4 F0 F `* u% C; m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 w/ w0 I( E& n& S9 d$ v4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 Z5 c2 v7 J0 D1 ?6 `4 N+ ^
+ Q5 z# X! x2 T; P* o7 SThe program will execute 6 different SIce commands located at ds:dx, which
, C. p) O) X6 i6 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 f; R* O+ I2 b( e2 `; m
6 p$ x1 |6 y$ K$ a+ N# d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' e3 x9 H$ R: S" F" T
___________________________________________________________________________
3 V& M5 ?6 F$ N5 P' Y% _" U- i8 L
7 r$ r/ ^7 t" y E
Method 038 G: d1 I, T# K, v
=========
; f' Z" n' m8 S: Y! e/ v9 f# I) B2 z, R* P t1 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 m5 J& s( V; ]! D: r4 \
(API Get entry point)6 K, B) \2 U" }6 q0 Z9 r( w+ Q# @
0 I8 G" H9 m! _- P
7 a3 `# P: v N( X7 d8 v2 P: ?
xor di,di, R+ k1 Q1 a6 Q3 \
mov es,di$ Y) J; s0 S H' Z+ W
mov ax, 1684h
/ S0 r2 p" W9 L4 d mov bx, 0202h ; VxD ID of winice5 F- r9 V+ h3 c+ `- U/ g8 L9 b
int 2Fh9 ]. G' s* J* C3 m
mov ax, es ; ES:DI -> VxD API entry point! u% }/ f1 w8 _+ l, \( r8 L2 \. g2 M
add ax, di. k# A% {* \0 _' o; O. a( M" W, Y
test ax,ax0 o9 E$ _! ~8 K* u: @1 g0 y
jnz SoftICE_Detected
1 v' T0 K/ M R; \+ v# K/ ], H, k! x% Y+ F# Q4 j5 ]
___________________________________________________________________________
# K1 I9 O) a5 o2 J8 J5 ~: e! H0 Y# P$ k6 g8 G5 k9 C1 }" T
Method 04! o4 n0 n: V! k
=========9 n3 X5 q" v5 c% A$ j' [# R
% s) B: t9 N, V3 v% ~0 SMethod identical to the preceding one except that it seeks the ID of SoftICE/ \1 \1 _/ @6 J
GFX VxD.$ H% X7 y `, r1 z4 K: t6 C
6 G6 D3 x$ A* ?: O* ~ xor di,di
/ v2 J- u6 I6 M9 | mov es,di/ ~# J5 R# {: d+ i6 C
mov ax, 1684h - s2 z# b" [! F2 o" m) y5 M+ t: f& t
mov bx, 7a5Fh ; VxD ID of SIWVID
: {6 f' r# b/ |+ q% W int 2fh# G$ f! a! [& m, R9 o! f
mov ax, es ; ES:DI -> VxD API entry point
' J# w# a" g5 u" r6 J. q add ax, di
. T+ H; B ]! V% l: m8 L test ax,ax4 }: E5 V) c* f! A
jnz SoftICE_Detected
% u* N/ B! }- w+ P: a* D" t9 ~ ?5 B$ S1 ^- Y. p6 j
__________________________________________________________________________
2 M' B8 r3 ~: ~3 [
# x+ k2 `4 O9 }9 v
1 P7 K# j6 a" H( _. V0 @Method 05+ y" T( R% p! b% G
=========. ]2 O% |! [( M0 L
; g( B: V5 H3 g1 B' J) \
Method seeking the 'magic number' 0F386h returned (in ax) by all system' |& f4 ^( @5 s
debugger. It calls the int 41h, function 4Fh.8 I! ]' P3 Z3 C7 F9 Q, Y) _; I$ f
There are several alternatives.
1 l) Q- j. t: K% }5 `5 ]4 _ [1 ^6 c
The following one is the simplest:4 F; j# ~ O6 P0 @
/ L! L/ {( E: P# j8 o mov ax,4fh
' B4 O2 t; j7 i int 41h
) ]( d$ J9 V. ` cmp ax, 0F386
6 M+ r# p* G9 N* R6 R jz SoftICE_detected1 J d4 o" K' b! a* w) L
( j" q' ]$ |" B T$ b' f# m3 r: e9 d9 r
Next method as well as the following one are 2 examples from Stone's " w% e; b) ]( l" Z8 |5 e3 { w
"stn-wid.zip" (www.cracking.net):
8 n6 z$ N- m7 f' r, k; `$ I3 A6 _, A! Q! @- p% v3 Y9 }0 q# \, z
mov bx, cs* d7 D+ R$ V: C6 _4 N, R4 R& K
lea dx, int41handler2( B/ F |0 n: i. K" {( i
xchg dx, es:[41h*4]
& g6 |. M }( e% U5 a9 @ xchg bx, es:[41h*4+2]" u9 i* R! ]! a$ w8 P+ t) t+ J) `
mov ax,4fh" T) K# G E) p& ]$ ], e* b, c6 j
int 41h
$ b5 h3 c1 J8 j! H: C xchg dx, es:[41h*4]
1 {4 G$ I. b7 B xchg bx, es:[41h*4+2]+ q, T5 B& u% ^, p" @+ q
cmp ax, 0f386h
) d y7 t1 W1 {+ ` jz SoftICE_detected
# d* v1 l3 s+ B+ ?% y# q, k& B* j$ Y
int41handler2 PROC C8 Q% A% G6 F' ], A# f$ i
iret$ l4 D1 D- }; {
int41handler2 ENDP
2 n- a* y* S- g, P& F8 e' O- L/ w1 R. T2 f
4 C3 V6 e1 F$ h
_________________________________________________________________________9 z2 R% F% y. n8 k P. b
; N9 p$ _8 _6 a7 e; c& }- |( }6 Y9 W( G! ]
* [7 A" I8 X5 f: t' E* C) sMethod 06( P% P; U0 i8 D$ R* \3 K: g
=========
4 X1 s8 |/ I7 Z6 h0 s, c- Q# ~& W* ]0 z' y
a: q8 S7 ?$ B8 _" z6 W9 u
2nd method similar to the preceding one but more difficult to detect:
7 R% U" h8 R8 Y
- j- h$ [ i/ e$ `; k1 z
" T' p8 E. N' cint41handler PROC
6 g! q# z. k! A* O3 S8 D$ W mov cl,al r, \0 N6 T* J- S: _) i7 Q* h4 K1 u
iret5 g6 \ h' B5 z3 p' p% K% w
int41handler ENDP
! r4 B) V$ {! g0 @
- l* ]7 S% K' [$ I7 o3 G3 g# Q$ \% M
: S% z3 A0 ^/ J xor ax,ax4 f7 W! e* P% X) r
mov es,ax
- F1 y3 i+ N+ p' W) J& t mov bx, cs! ^& e1 d6 p1 ^5 T) O1 J6 C. O
lea dx, int41handler, a' T' u# x8 o6 l8 ?! o
xchg dx, es:[41h*4]
/ @/ a% k8 `- I. _! C# Q xchg bx, es:[41h*4+2]
; a9 S- m, E$ q4 a9 c6 O* X& Y8 |6 ]2 I in al, 40h q5 d; I# e" K$ N; s4 F! k. ]9 J
xor cx,cx
) u+ C$ Z# R2 k" M7 @6 ^# k, a int 41h
3 u _, {- x" G/ i xchg dx, es:[41h*4]
' b7 f, W. S2 j7 y+ Y: k" M xchg bx, es:[41h*4+2]* h b, B0 [$ t' J/ P+ z( W1 I
cmp cl,al
+ |! j# N- [5 K1 {* v& | jnz SoftICE_detected
' J9 J! u. H( h: C4 ]
. p P8 z; F. {# k1 g_________________________________________________________________________, P6 ?8 B$ E; y
6 z q, g1 G2 Y; U0 V; BMethod 07
6 e$ k4 N% i5 k- Y) p" m2 r=========, ]) n2 M- e$ i/ j+ [7 E* l* `
1 |: ~! f: n+ \8 JMethod of detection of the WinICE handler in the int68h (V86)% b; D$ d. ~" l9 D3 T) i
' }$ _0 s& C" W; C5 t7 ^
mov ah,43h! Y7 |# f& P, @# L- i
int 68h
, o4 {* T7 h" \, x4 p3 \ cmp ax,0F386h
z! v" } N) o: Q7 V- S jz SoftICE_Detected7 Z1 p; l6 @9 v
% n B! Z! f0 E1 |+ t4 D3 d- a
$ R4 l: D5 k$ f5 P3 b$ a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 s, t1 y& W ^: h- m( R app like this:
, Q- e2 I0 H* z/ |1 u3 N
6 W1 M$ N: y g5 Q- S BPX exec_int if ax==68
- _3 {6 e" |) Z: U( u (function called is located at byte ptr [ebp+1Dh] and client eip is
7 M$ f4 v% n9 n3 r9 |" f! k" T located at [ebp+48h] for 32Bit apps)' d; D# O k3 g
__________________________________________________________________________# U3 j; G8 _! K; x
, P; P% V7 U! D( { \3 D+ x Y: P& m9 R. R- y
Method 082 e1 C' Q& h2 [' k
=========
9 a6 E# [7 \* A7 I0 G4 [7 ~
: x# T" [! E, m$ ?$ R+ e; ~' OIt is not a method of detection of SoftICE but a possibility to crash the! k0 P( e6 L9 [
system by intercepting int 01h and int 03h and redirecting them to another4 @/ J4 K' S& _# A
routine." E: G" U% F# y3 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 |! q+ y' o" V9 P
to the new routine to execute (hangs computer...)( z* m, M5 c) o" ^6 g6 B
$ e, C2 a- A9 R2 F! Y0 | mov ah, 25h
' g- v0 y% r- H4 D: t mov al, Int_Number (01h or 03h)+ |1 r4 H9 j" z6 Z
mov dx, offset New_Int_Routine9 ?3 ~: |9 Y5 q/ m4 U3 a4 K
int 21h
8 R2 X1 r* ^+ k" w7 [( ]4 U* F/ w4 u9 T+ F0 Y
__________________________________________________________________________1 f8 K2 V% T# l% |
- Y( u+ G1 _# b
Method 09
- M4 W2 B9 x7 k=========% k. e6 f+ K2 Y5 x5 E+ o8 Y- ]0 U1 s
" k9 n9 O' h* h8 r5 @$ B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, ~$ H1 ^1 r3 t, M9 E2 T
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 g6 p$ E; M4 q5 B6 xThe Get_DDB service is used to determine whether or not a VxD is installed
) q) {% n: w+ @for the specified device and returns a Device Description Block (in ecx) for' T/ P5 b, J. b. @; `( a
that device if it is installed.0 O6 c& n, a5 e- l0 N. I
) l) p ~! ^/ g- @! q+ |0 A. p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( z5 R) Z h* r. ~/ |+ h `! I( | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 L) d, f9 D- U$ N
VMMCall Get_DDB0 w* O Y6 \" T4 v4 G. \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 a/ P, d/ q! X
3 |+ T5 v2 L. x
Note as well that you can easily detect this method with SoftICE:
4 b2 m+ [" }% @" X9 N0 Z# t bpx Get_DDB if ax==0202 || ax==7a5fh
& |( F0 S& F( ~* M) m4 |" W. N+ V7 W v1 x- q2 }1 }% |: d
__________________________________________________________________________
' T$ n% Q/ K: G2 M; O' ], h
. m$ q2 ~) {! T, UMethod 10# {0 W( G# r% O" ?% L, w. u7 ?) h
=========# C a0 Y$ b" f, x. [! c6 L
& i3 |* T" q& s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% F4 Y+ z8 ?6 G6 d SoftICE while the option is enable!!
! c2 d4 t5 X, d2 |; c) r1 l, A( |7 t
This trick is very efficient:: e0 q, v) Y" |. M
by checking the Debug Registers, you can detect if SoftICE is loaded& b6 E7 j) c8 f; L# ?& U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 ~/ J- v5 t) t1 I* @% B; q; [
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 D! x0 o9 ]; k; O, y3 l
value (in ring0 only). Values can be manipulated and or changed as well+ A" f4 k5 F% g! @: {5 h) S
(clearing BPMs for instance)
! m8 U7 Y5 b1 Z( R
9 V6 I4 W. \' \" d__________________________________________________________________________
6 v. A: o' H% |. @* s A6 T) |
! I8 T$ F2 ^# D3 w6 C% ]( Z6 Z" PMethod 11' p' ^8 g* v. a
=========
. l8 |/ N, j; S2 Y0 j2 d1 Y1 p
This method is most known as 'MeltICE' because it has been freely distributed& o7 F5 W% ]) }& x: p3 H
via www.winfiles.com. However it was first used by NuMega people to allow
& l$ O9 G4 c/ A' X" @0 TSymbol Loader to check if SoftICE was active or not (the code is located
3 E) c- S1 r; Binside nmtrans.dll).
/ v2 b. [6 R2 M+ I8 p% }0 w" H3 M3 ^# V5 @ X9 u; B
The way it works is very simple:
7 j: z% h ]. d( ^8 iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 d; H2 g% g+ Y- [' H* b* d' J: {! B8 m
WinNT) with the CreateFileA API.2 v5 T: v- E2 X) ~( O0 U
& y7 i1 }# P+ q4 _3 h: Q' AHere is a sample (checking for 'SICE'):
, [# X B/ V+ L6 K; O8 L7 ^5 q w! ^- ^' u; N4 y
BOOL IsSoftIce95Loaded()* D$ ?. o- x+ F h* P+ F
{- M+ H) g/ r9 I6 P5 ~
HANDLE hFile; 4 u2 b, C; Y0 M" U, K; m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 N. @2 M( L5 @: J- M! v9 r* C9 S FILE_SHARE_READ | FILE_SHARE_WRITE,2 {( i2 o) G8 c' f' |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 a6 E) D2 b& Q if( hFile != INVALID_HANDLE_VALUE ) K) S1 W# _- b1 [: }
{
" l, r2 V; U& i6 }# e6 t+ w CloseHandle(hFile);, m- k% U3 ]7 z( k
return TRUE;
7 n3 ~8 f1 N0 }0 M( Z }8 l" O' v+ |" E! q7 j9 }. k0 `
return FALSE;/ y( L: A$ ]* c" p8 c6 R1 G
}
2 a" d- _1 J5 z. t% Z% q$ T+ z) K( j% M6 u3 n' o" M. p
Although this trick calls the CreateFileA function, don't even expect to be
4 a0 `% A* `( G. U+ S W: Aable to intercept it by installing a IFS hook: it will not work, no way!
L2 ^1 c% }$ N( E; }+ o. f+ y" TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 E/ w6 K/ |. R/ [! `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ W9 M2 Q: B/ n- n# h% }' T' q( n1 wand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ q5 f2 a% q3 g. I' Z! G
field.
0 A9 Z8 L3 ~# u, {- wIn fact, its purpose is not to load/unload VxDs but only to send a % K }6 F8 t# s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: u1 Q' i1 x- I6 tto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 z1 x0 o* C' h4 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& T. z7 L/ O0 q6 a" ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
* Q* p& q5 S. A/ s3 {its handle to be opened and then, will be detected.4 x5 N F1 i* t% {8 ], e% ^( B& P
You can check that simply by hooking Winice.exe control proc entry point
6 t, @2 O6 G5 N$ t6 Y1 w1 Ewhile running MeltICE.
( H- k( ^& v) s; P3 f- v2 a! m
: j3 S/ F1 E1 T7 W: u! Q4 A1 r9 H* } L! W; F
00401067: push 00402025 ; \\.\SICE
4 c o: s q2 j9 ~ k1 @: W, S$ J4 v 0040106C: call CreateFileA
6 _) W6 M& ?- |% S& @; k! f 00401071: cmp eax,-0016 \9 }0 i8 J: p& ]
00401074: je 00401091( M! N- z0 W+ r( m2 ~# U
0 t* A1 f1 ]' W! E( F* U
9 r! F+ i. L4 ]$ cThere could be hundreds of BPX you could use to detect this trick.6 ~8 |5 P6 P3 P
-The most classical one is:
+ O$ w. y4 r# e8 y( `9 B) j- m- Z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 h, S l- _" j3 L" C *(esp->4+4)=='NTIC'5 ?) w: ]% a2 R1 s
~% H) B) ^, p: ^$ _' m0 Q3 v-The most exotic ones (could be very slooooow :-(
0 F+ c2 G* m5 Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! }$ v8 t! I: v ;will break 3 times :-(
( J' \" a) k5 M) D- ]: Y( f; ^9 I$ `$ @# [ _% h
-or (a bit) faster: ! N0 G/ [% f, h/ \' }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 p1 I7 J# ]# l* G# [
' L6 i: V1 K; E. B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! E. E9 _, J, m J6 o ;will break 3 times :-(
% C( P, g/ h4 U. p+ Q) L& e4 V9 F
- N9 b8 l, ^) N( y-Much faster:# L u4 w2 c# B+ i; F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% f/ i6 N$ |$ u N, ?/ T7 S8 i" _. D- G) p/ ~% p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 D2 b, V2 }/ C5 G) T) n
function to do the same job:
+ `- W+ C2 {+ d4 I& Z( x2 k; n+ z& h/ S' `3 P
push 00 ; OF_READ. B8 Z/ Z, y0 F* N- t
mov eax,[00656634] ; '\\.\SICE',09 ]2 k5 z& h% Z6 {. L4 E
push eax
) j! J) r4 N6 f+ c% d z. q4 R+ w call KERNEL32!_lopen
0 m ]$ N4 I J inc eax2 e1 E7 ~2 n6 C; v2 R2 A
jnz 00650589 ; detected
( D! g5 v1 S1 I" s4 Z push 00 ; OF_READ
, C: D7 T) k6 [' p& e1 t* C mov eax,[00656638] ; '\\.\SICE', e: z4 j7 {, x: i! X& D
push eax
4 c5 k: [9 |5 U: b( k, B call KERNEL32!_lopen
' ]- [1 t) Q. l0 N inc eax
; v1 U2 ?, O$ k9 y" Y7 O9 } jz 006505ae ; not detected" ?# D# D9 I* ?
) |- M8 T5 E* ~
4 j7 w+ S) C! o' \( z" m$ K( r% a5 B__________________________________________________________________________: k z) ]/ I) h/ V3 M
# `; ]/ C* F# H6 {/ P) h
Method 125 a4 S3 o; U6 v Y8 [
=========
* N8 @+ w% e6 n( q1 a" t* E" N) ^0 @
This trick is similar to int41h/4fh Debugger installation check (code 05: P' Z6 K6 [3 t2 f8 g
& 06) but very limited because it's only available for Win95/98 (not NT); |% d6 \! L2 ~$ R' h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' W. d9 ]4 ?( z; x: Y7 ] g8 c4 ~8 A" c" K9 Q" f( g
push 0000004fh ; function 4fh
# O' o# p7 u C9 A7 G B! Z push 002a002ah ; high word specifies which VxD (VWIN32)
" I& V' ^' w( {; n$ |2 } ; low word specifies which service3 g- k( y7 Z4 W/ f; M7 g/ s
(VWIN32_Int41Dispatch)
; K1 Q7 j! Y! \0 K" \ call Kernel32!ORD_001 ; VxdCall
: P. S; V6 q, S( d% P D! f4 a cmp ax, 0f386h ; magic number returned by system debuggers
5 j8 u& E$ r; F4 \$ U jz SoftICE_detected3 c8 X, k; V8 m" O
6 Y, s" v5 j1 A3 t* fHere again, several ways to detect it:
5 g, o/ Z5 z j, C( x/ I" A, K8 q
BPINT 41 if ax==4f
~6 f; v$ c- ]4 Z
1 }+ W5 `+ l4 D8 ]. h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 u2 ~/ ~9 U2 V7 M* E
. e5 ^/ A4 q5 B( G6 u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 M4 m N+ a, G9 h7 e2 S9 K) b E4 i7 P c, Y3 ]8 g& G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( s" s9 C4 |6 D2 c( s+ }
: l- f8 ], j9 \9 ]+ y" A0 ]__________________________________________________________________________. V X- l( @9 k8 F/ Q
" ]- [1 ~" g C _9 K ~
Method 13
7 h$ o$ y& i7 ]3 p=========6 [& }7 j! Q; x2 v5 G! I; ]; V
6 P# { x% A; NNot a real method of detection, but a good way to know if SoftICE is+ \, X0 s- S; u
installed on a computer and to locate its installation directory.4 b* l: b; C6 B K. Z
It is used by few softs which access the following registry keys (usually #2) :
3 r6 | q3 P4 J7 ]% W! f \7 S: _3 l0 S/ I* u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 `9 }9 s' ~% k+ r+ H1 z
\Uninstall\SoftICE
& T4 O- P5 r9 t5 H" q$ s) G; o% H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 d+ n+ {) T2 s f Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ Q% Q: z8 @* \- R
\App Paths\Loader32.Exe
) w% \* q7 P O' z# ^, [+ X" T' \& Q# R! K# h. i3 _% T! T
5 u- l( `0 |! o$ b; bNote that some nasty apps could then erase all files from SoftICE directory
; k. r2 V7 u: r* K5 i(I faced that once :-(5 u" j7 v7 B& F$ P. Y; t; J
# y x O' E# g
Useful breakpoint to detect it:
' g( |# u/ P. U- c( w: {
2 J/ L1 A& H( G6 _ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 g" E% X, h9 R6 d9 l5 @
; [5 s: b9 u3 }- U4 [! ?, h__________________________________________________________________________
+ G$ L) Z# ?, Y, }2 V
$ ~$ r5 i' Z1 t2 g6 A! E9 b# P# j1 u) |
Method 14 9 h) }* z: f4 @% n
=========! A3 u, y, g5 R, J8 s% [. X6 o
- \( U+ |7 u; W% u2 M7 N9 ?$ AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% p; Z% X7 S, h3 v
is to determines whether a debugger is running on your system (ring0 only).
: V* I. ^; ~+ C C# t1 x. s3 ]1 q3 V/ b7 `& r" M6 \
VMMCall Test_Debug_Installed
5 x* M5 k( a. x$ C je not_installed
. i: f7 y$ @ W# ?6 O" F
' M L5 J! V+ p, x: U! A* RThis service just checks a flag.
1 D: o" k3 v" k* e: k! a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡