<TABLE width=500>" m6 W" ~! l8 l
<TBODY>
# q. ~: @- m1 F<TR>
9 G& q [) o, D! C: Y ~7 s3 h<TD><PRE>Method 01 $ t: o! `5 J9 `* ~
=========+ V* g5 h$ F, c# {
) `7 b9 Z# K+ [, _/ E- c
This method of detection of SoftICE (as well as the following one) is; N9 z6 `/ V8 h' V
used by the majority of packers/encryptors found on Internet.+ J8 L+ l/ H0 E+ Y) \) W; x
It seeks the signature of BoundsChecker in SoftICE
* G! ?& B# i- [1 i& t5 u# q" X$ e* D" [8 s
mov ebp, 04243484Bh ; 'BCHK'
7 U; x$ p z1 Z8 F+ i mov ax, 04h
( { k* S- B0 B7 z, g8 b int 3 ; ~# ~( \& s: B0 y: B
cmp al,4* u/ q5 A( x& U/ {) m
jnz SoftICE_Detected
; Q& h2 v K, S6 y; t
# ]6 c! ^3 c2 W+ B6 y___________________________________________________________________________
, C. _* {) Q5 u6 Z/ k
; [0 I/ F, H/ s; j. d# TMethod 02
/ `% Q! f; C- q" H=========. | a$ E$ @$ p' t1 t, W1 s
: o+ \6 X, u; c
Still a method very much used (perhaps the most frequent one). It is used* G# D7 x6 ^/ F# A2 e7 A5 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; a+ t [; [% W) U3 f2 s# vor execute SoftICE commands...4 |0 i( m5 Z3 `+ ^) K
It is also used to crash SoftICE and to force it to execute any commands% D# p3 p1 g9 E5 h9 j; T: }
(HBOOT...) :-((
$ Z! }$ Y4 ^4 B
. b4 M( M- K; a- M9 P3 X: d3 O6 [Here is a quick description:
8 E- \+ G# |2 N9 P; D; m-AX = 0910h (Display string in SIce windows)
, }. |& ~9 N) r+ ^1 l) H4 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 K1 F% v, Y" l: j: S/ d$ h
-AX = 0912h (Get breakpoint infos)
8 J" d. G9 N1 ?8 S+ b, m-AX = 0913h (Set Sice breakpoints)
8 s- _4 c- R1 A2 w+ F-AX = 0914h (Remove SIce breakoints)5 U; A3 e0 y$ c
1 x) _$ A- S$ _; h" Z# F8 tEach time you'll meet this trick, you'll see:. v! N! H; o2 l4 F, i) N; C
-SI = 4647h( ^% G$ }+ T* L; a5 P9 s' k' ]
-DI = 4A4Dh
% L0 O! [2 L6 B& G0 q4 `Which are the 'magic values' used by SoftIce.) M3 f7 A" e- X9 r U* o5 ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- u2 x, V2 W! V! c% z! e5 `/ V: N- z' M
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 J8 O3 ^$ i6 W0 k- p) n
Envelope utility use to protect DOS applications:0 H r4 D4 n2 b; E, \; u
; F! V4 r3 D4 E( b% y8 V
, Y( ~* z4 Y* Z$ {* V8 F" t
4C19:0095 MOV AX,0911 ; execute command.5 \) X6 w1 l* G: x; d2 O2 r; d
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 \. u" W( h+ d4C19:009A MOV SI,4647 ; 1st magic value.
* r$ x1 _! O% Q/ T4C19:009D MOV DI,4A4D ; 2nd magic value./ f4 `6 h, O4 R1 b5 ~! P% R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 i5 K. ^) i# ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. x% j1 M0 [4 I8 S; n6 C; V4C19:00A4 INC CX
+ M, D" l M$ Y5 l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; E1 U7 m" L, \- Y/ I) J2 X" K
4C19:00A8 JB 0095 ; 6 different commands.% ~( Z) l+ E- r; ~' K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 M8 Y$ C4 X. F+ \* ?! m1 H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 r; l# c9 C- {+ V4 d8 i, v. P7 C
0 K8 @, |& Y( j) q
The program will execute 6 different SIce commands located at ds:dx, which
; s% O6 a' p0 S6 W: aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ E, b+ }0 \6 e% o% G
! j& M2 V5 D! v( o& H s* u$ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ T& S) Y1 Y% c6 u1 L% M2 ]! |3 f
___________________________________________________________________________# u( K v. `- J, `
& [% h% [. `" ]. _! F( A
) \# D0 L4 R kMethod 03
! A% B) d9 A/ E; N7 |=========
9 }# n0 A# {8 g1 i5 e
4 A- O+ Z( j. X. LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# ~0 z" Q! H" E6 O7 C
(API Get entry point)
1 W8 A" J6 G4 F% X K# H1 ^- M
9 H; z- n$ T# Q, e2 z+ X; v- Z5 p2 J- g7 C! F) h
xor di,di& c' w' I3 `' t
mov es,di& X- ]' o& S$ F. x$ @9 ~
mov ax, 1684h
8 v5 G0 v) K* v) A% K6 z( L8 y9 ]. S mov bx, 0202h ; VxD ID of winice7 B, ^% c+ E, S
int 2Fh
( R: T# `/ L. I6 A mov ax, es ; ES:DI -> VxD API entry point
! A& }9 k& V% [8 b add ax, di0 t7 f# v0 |( B
test ax,ax+ @! k3 ]4 A* R
jnz SoftICE_Detected1 B7 P5 c W# u6 ~7 B0 m* K8 D
- Q5 Z; ^6 Y2 K, c+ f- Z& z
___________________________________________________________________________
$ q- O6 L9 _3 a3 R; n& C3 O, a/ [
Method 044 V3 d) u4 ^+ }6 f
=========& w' t" h/ r$ T; u
( M- y5 ]0 Q8 O; _: C2 m% ?4 v# bMethod identical to the preceding one except that it seeks the ID of SoftICE
4 ]- ?; p8 A4 d! v. R+ tGFX VxD.
" s' Q1 o0 R' `
4 a d6 q( o0 b: q xor di,di
2 v V: a& \, H3 J' {7 S" s mov es,di% a- `3 O5 ?/ U( }8 ?0 R/ k
mov ax, 1684h
$ @: K, x1 @% R& H mov bx, 7a5Fh ; VxD ID of SIWVID; v3 Q! ?3 P( [+ }) S4 Y6 C- X
int 2fh
% G5 e$ {( E# N4 H. J mov ax, es ; ES:DI -> VxD API entry point
# B0 v' P; e! N0 k% x add ax, di9 r. c- t- i/ M/ D( N
test ax,ax
8 P" q; P% J0 B8 g7 \# X jnz SoftICE_Detected. j: i; U6 L/ I: \1 S: i
8 D6 a' \& z- V9 {( J* R" }' k
__________________________________________________________________________! D5 F: x2 h8 [6 ?
9 A2 d* ^* B# a `% \# t
$ K$ F- B3 p' X3 BMethod 05% U7 q0 r9 Z( q& D3 s/ r
=========' V, {4 [! k+ }8 {7 \) e$ ?) y
6 [& l! i: a' o9 \Method seeking the 'magic number' 0F386h returned (in ax) by all system) x+ l/ J l! H9 F+ L% B
debugger. It calls the int 41h, function 4Fh.
% O! n* d8 H. I0 p' Z0 UThere are several alternatives. 8 P5 l! o# e4 Y1 f
, M" E7 b* {2 v6 Q" OThe following one is the simplest:! ?& c2 f) v6 }- P
- I2 X- a/ R7 l9 [9 w2 k1 j# p6 K% R
mov ax,4fh& ^7 V/ n2 O- c
int 41h y6 \, f5 o% T
cmp ax, 0F386$ r' E/ v: {9 {) j
jz SoftICE_detected5 ]2 M5 f) l" S- z0 P
* q8 L& {9 o' I4 B9 C7 `8 Z% e+ I
- ~+ o1 b; {" oNext method as well as the following one are 2 examples from Stone's
, n# ]4 ^; ~0 ]% I, F" t"stn-wid.zip" (www.cracking.net):
$ r( e- l8 P0 b+ L6 ]5 j5 J7 o6 I4 S% I2 [. U
mov bx, cs
8 t. |! a6 c* p/ E7 `/ F G lea dx, int41handler21 B7 i) G' f, c [. ` z
xchg dx, es:[41h*4]
: J2 x2 C C* J( s @& E xchg bx, es:[41h*4+2]( }/ `* V* [1 ^0 l+ d2 J. a
mov ax,4fh
* f+ h8 k; U3 V int 41h: R0 h, }; h4 n( ^0 }$ V" M+ R
xchg dx, es:[41h*4]: D" O- k- v4 g$ Q8 P
xchg bx, es:[41h*4+2]
8 S" y% R5 J# h0 d& B3 s9 S6 K cmp ax, 0f386h
5 E% l3 T- {* w% t2 J5 P jz SoftICE_detected
* i \% F2 y4 ^) E* j
" d& W0 e; u/ b1 L2 B( T! \int41handler2 PROC
3 p/ A `- U6 x5 ` iret! \# K0 \% I. ?$ h3 C$ r6 |1 w
int41handler2 ENDP8 f; R& b" s; t- b
8 w g8 g. a- n1 R
9 n2 H0 G& |) {3 j- W9 @! A_________________________________________________________________________
" n6 G' u) [9 I- e B, j E+ l% i( X" y4 k# Q4 f6 `2 H H6 G% T
7 {# M/ d$ m) h6 B8 L. W" b) J
Method 06, s9 {4 |; Z4 |, f. N
=========
- P5 \. h \/ {* S1 T: A" d, `: b& s8 ^
) h( c' o: H) X- c! I1 s
2nd method similar to the preceding one but more difficult to detect:* F( ~$ `1 m, ^! k! S
# }+ {. d$ n' _6 v/ L2 g* {/ G
8 V- J. p0 s! @8 q5 B; k9 @6 W: O- gint41handler PROC
' i# k5 c8 i5 `2 s mov cl,al
/ h+ G. G6 o! |; A' R iret) R* |4 ^2 i" w4 T
int41handler ENDP4 \( S7 R# X* i
4 T! q* n3 \: s8 D7 j; |
+ w' V& \$ Z3 |6 O$ u: t+ D
xor ax,ax0 i# N+ k5 r. I- t0 ^! d
mov es,ax. Q" c( |) T0 O. W1 C
mov bx, cs1 _7 ?8 J9 g, q
lea dx, int41handler* P+ K E- K; }) G
xchg dx, es:[41h*4]$ G5 |6 K- L) a6 u
xchg bx, es:[41h*4+2]
7 H- N4 x9 t3 G: G3 Q' U9 m- P0 m& I in al, 40h
5 _0 A. N. n- |6 g xor cx,cx
0 a& T/ Y0 S( F' y5 i int 41h2 Z j9 B* _' j" a6 y/ P# O
xchg dx, es:[41h*4]
( B: T8 w' c# T5 O xchg bx, es:[41h*4+2]
' t" K% \6 W. j- E( b cmp cl,al
: y" P. t7 t- x3 f' i jnz SoftICE_detected6 o. R* {! D1 E. x1 Z
( j) C: [2 Z2 A& q0 O- D, e_________________________________________________________________________" Q \- v) u' N/ w h8 g# ]
& L9 f3 X- [- B
Method 071 S5 K; N1 G7 b# H4 k/ h9 G1 p
=========
& c; @; ^ K0 C. o8 ^ q. e, Q6 F( j" @& m' |+ {
Method of detection of the WinICE handler in the int68h (V86)0 [* \# `5 H% \, b2 D) }! C* e9 ~' j
7 x0 J m% ^1 o5 }5 D- b' X" h5 j8 r
mov ah,43h
, I+ `6 x( H0 J4 N7 I int 68h7 r: I3 M* I+ }: F, F) Q
cmp ax,0F386h: H$ v5 I: X! X6 a0 z
jz SoftICE_Detected3 O- G3 y& `# h4 |) d+ B
% D6 e+ _3 p# K1 N4 o6 r# ?
0 B4 k* ~/ `7 a% L* S6 w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! E/ r. F$ n8 {" ?" o
app like this:' O0 s, Z% W4 |7 Q3 t
% c1 p% r9 k' f \ BPX exec_int if ax==687 V) A& `0 P. _2 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
' L! c' s& b+ ]5 N9 M located at [ebp+48h] for 32Bit apps)
6 J/ X6 [; R( w( P0 V$ k__________________________________________________________________________% x( R. Q4 E" D: H. X, {0 t
$ b. L7 S: l- }/ f( B) @3 e7 L/ U; C
Method 08
- a5 L. C# K, M, c! C; x9 O7 w=========
6 J& ?: R' A& }5 k9 ? I! I0 [6 M/ c, Y
It is not a method of detection of SoftICE but a possibility to crash the
* H* _6 K3 x1 b- }5 u4 W* @* xsystem by intercepting int 01h and int 03h and redirecting them to another5 N5 M1 p! |* V) y% F
routine.
8 l) {$ Z: r3 M! V6 F8 j' hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 _. ?5 E, W7 \: ?! C3 p" D4 qto the new routine to execute (hangs computer...)
; ^" X0 {& _6 u
* t6 f( T( V) g |3 j mov ah, 25h- } S& } G+ Q; ~9 p
mov al, Int_Number (01h or 03h)
( U: I0 {" @) g, Y U mov dx, offset New_Int_Routine
- T, l9 h6 @. X9 K8 S. ~- V; ~8 k1 m int 21h; W. y/ ^2 f/ d
9 j/ {( V# G) J- u, ~% Q+ ^' o__________________________________________________________________________5 q4 w0 H/ ^' O; [
/ g( ~! ^/ g" L6 Q& K3 }+ GMethod 09
3 n7 E: w* t0 d=========
2 U8 a" F& |9 p! t
7 a% O$ w! a* x0 t) s( bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* c; i( f+ q2 Y0 I7 i- O4 Y/ Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
# [2 [& T$ s, A9 s: e% zThe Get_DDB service is used to determine whether or not a VxD is installed* @; }6 L. ^5 F' _3 @1 |. W! i
for the specified device and returns a Device Description Block (in ecx) for
1 ^& e6 j v. A1 h7 u# dthat device if it is installed.- @$ Y7 U; e( G' E
' p: {" u5 Q: S& p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 a; g ~ h7 \2 ?& | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* U9 ^: {! E2 k& ?, d1 p+ @4 M VMMCall Get_DDB3 e/ {& }. L' r. ?8 |9 ^# `: m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& c: |( o. G0 f4 e$ U$ g0 f4 Q" N0 W9 [- \$ b' W% `
Note as well that you can easily detect this method with SoftICE:
- e7 g* U+ J, m) Q1 k2 p3 A bpx Get_DDB if ax==0202 || ax==7a5fh
1 O' Q+ t7 p- H) {1 D/ M/ ^& @ U2 Q5 o
__________________________________________________________________________
( p( l2 O8 B# {8 K; |: v8 o& X% n
7 o- ]; ]* `* a! E/ f3 h5 ]Method 10
( W8 |" O* X' `- ?# x' b, x1 ~( O=========8 G! w7 _9 s5 `- p
9 t' N( S* T# o. l! L% e4 e8 x* \=>Disable or clear breakpoints before using this feature. DO NOT trace with( @+ M8 D/ W$ k% X% c: l
SoftICE while the option is enable!!( A3 t2 a' L' s5 g8 R# q: D9 ]
$ n% w/ u+ ]& Q& S2 [
This trick is very efficient:
' o3 ^- p2 p0 l) c6 ?by checking the Debug Registers, you can detect if SoftICE is loaded" _1 R! E: L' j9 h$ v0 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: f b, L0 F0 M% H: @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 \" F/ H3 T+ q0 lvalue (in ring0 only). Values can be manipulated and or changed as well9 W% W8 x# J, d
(clearing BPMs for instance)
0 w0 p/ c# B, g) z) U
+ m! i8 q" E6 N* A4 G O v__________________________________________________________________________5 _5 b; I% _' h5 S1 H, A! z6 ?# |
! y( m7 D! B2 r8 g9 L: XMethod 11, c: x6 e; ~! ]& @, m
=========
# G/ J% r& m [ x5 ~; V1 Y T$ A& r' ~# [& z
This method is most known as 'MeltICE' because it has been freely distributed
( g' t# }% l6 X0 a2 j4 R+ ]6 ?% f/ {via www.winfiles.com. However it was first used by NuMega people to allow
, k+ a9 S* {4 P+ [Symbol Loader to check if SoftICE was active or not (the code is located
; t, B8 _. C8 X5 K: H8 u0 @- N4 C$ w- ninside nmtrans.dll).
3 B# |$ X$ N( z- H
6 B' C9 {" N6 q# m' d) q' @The way it works is very simple:; }: S4 C& w: @/ d; d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" ]2 e+ O& M* @4 k e. BWinNT) with the CreateFileA API.% }7 ^ ]$ o9 B7 m4 s+ V
3 g+ b3 Z6 b! w D/ ~4 o
Here is a sample (checking for 'SICE'):
$ f8 V/ n9 l1 F, X9 y2 f, E- H: Z u5 |
BOOL IsSoftIce95Loaded()
" z. Z+ N! R% @9 z8 T5 i' n2 S9 q{/ N; U7 _- ]1 U0 ~3 i7 z, S# P& s, J# P
HANDLE hFile;
* I6 ~" G! E: U3 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% T9 p4 c" C! c5 ]/ Y FILE_SHARE_READ | FILE_SHARE_WRITE,
0 c' |) F( Z. }! U6 z/ R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ F- e* h3 [$ P! T1 b
if( hFile != INVALID_HANDLE_VALUE )
T( c/ A c) |" g! q {) M& U6 X( Z$ l/ E* ]+ g- C& ?! o
CloseHandle(hFile);$ a k, G+ f4 N: B W$ G
return TRUE;; t1 m+ w6 s* t% w1 x
}! [. B& s: n3 B9 l+ e" U& H
return FALSE;% h/ h# F% W7 u# w; z7 {1 L
}
, ]: c2 p% p$ c5 o" | U/ Y* [: r7 c8 N1 @+ A
Although this trick calls the CreateFileA function, don't even expect to be, L* f2 } ]9 E, T0 w
able to intercept it by installing a IFS hook: it will not work, no way!8 J M, L( K: x( q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 v; @- S9 \9 @& ?0 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 ]* d% O7 Z( u8 P# J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ |6 e3 N5 e+ p4 x$ ?; k efield., i0 N" Q, X. O* L: t8 y p, @+ f
In fact, its purpose is not to load/unload VxDs but only to send a
8 U* {% }& ^$ OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 D [! \4 B* A' ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try# I$ m4 m8 Z5 h1 j( y+ N' t9 _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 y5 i% R: H0 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ u% N# Z; v0 X& {3 O/ t7 u
its handle to be opened and then, will be detected. J" J( h+ x- ~9 J2 I* s2 A
You can check that simply by hooking Winice.exe control proc entry point
) ^9 ?* q5 l' [% ?4 uwhile running MeltICE.
- p! j6 b' c6 N8 M0 y
' R8 {. g' n* q% |- _/ S
- [+ c% N) ?8 n' W$ ~ ^ m2 C 00401067: push 00402025 ; \\.\SICE! T6 N" A8 e5 u$ |
0040106C: call CreateFileA9 n8 \( b: o' s5 q* x) x2 ^
00401071: cmp eax,-001
. @+ J1 ~' s o3 H9 Q) x0 O* R2 r& e 00401074: je 00401091
7 }. c9 G( Y8 ?+ j4 p3 o% F' [/ A3 e+ J" I" F' k2 t3 O- W* J
) P+ Z7 n& O s4 b! s; Z! w
There could be hundreds of BPX you could use to detect this trick.7 n) d% _1 @2 j& d6 r
-The most classical one is:
6 T$ r% p; l0 N. z. |$ i0 W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* s& v" c* F* I *(esp->4+4)=='NTIC'
' ]! h0 p: i/ M5 ?# S* J4 i/ y
9 ]2 e8 f) v$ R-The most exotic ones (could be very slooooow :-(& a h* i! j2 Q1 g8 m, w; p/ V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' Q1 N' @! r# s0 h- L! { ;will break 3 times :-(
5 a2 |7 r6 |" c2 V4 v2 z0 E7 y2 `; |
* P3 g! L M- C1 V, F/ J" _- ?, W-or (a bit) faster:
, m3 m& U9 E% Z+ f ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" p- w' ], O+ o
" d+ [; d7 w) f4 { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' T7 |8 J. L3 Q' } D" M ;will break 3 times :-(
0 [3 ]2 g- o+ G, J! Z4 C+ u4 X# B$ v( v" v' r. G9 [
-Much faster:9 K5 c) e4 |6 G3 B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. ?* c9 r6 U4 G2 s0 T3 Q( G; U5 @8 ^& L% E/ y2 l# v) x& e k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, A( G8 U3 N6 |! Y2 A8 H
function to do the same job:% K( {7 N; o* R/ N' [
( H( r( X, r' w, q* e' S
push 00 ; OF_READ
( C) y6 A1 P8 O8 D. I6 k. q' Q mov eax,[00656634] ; '\\.\SICE',0
4 E* \0 H$ a, K8 c9 [0 h: g push eax. E0 H0 {' @4 ?6 u# y: U. {
call KERNEL32!_lopen& ^# m1 z, ]1 N+ c0 z2 I
inc eax
' E+ H% d- {, i; m" C! P7 f3 H jnz 00650589 ; detected
}. R3 d8 u! X- z# z push 00 ; OF_READ2 x0 |, V4 v* }
mov eax,[00656638] ; '\\.\SICE'( S. x* B1 U) a+ I0 S
push eax; d- b! n! W4 p- T# ~ Y
call KERNEL32!_lopen; o- N4 i2 T8 P* K7 k' ~, b
inc eax" D a. U1 V8 y+ B+ x* q. d: u# e3 z9 [
jz 006505ae ; not detected
" v" Y0 i; _2 z% b+ ^3 E1 P! q- R* t. q: X0 x* d7 q c
3 ?; l |* Z7 C% @__________________________________________________________________________
; x" W' _* M9 O3 b
& b) m F! K* |( }/ k; g2 q# a. Q) sMethod 129 p4 ?& I- ~$ J; G5 N/ f+ O N1 C
=========2 l! ^) S3 ~: ~# M3 F& j6 ? `
" w# c( N% e# X1 U$ E3 Q; ?* {This trick is similar to int41h/4fh Debugger installation check (code 05
3 L! m7 L8 M" c% t+ S4 B* ]( ]& 06) but very limited because it's only available for Win95/98 (not NT)% R) [8 |, p H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
_% G1 p5 ^0 U) x; \0 y
" w( x: z' B9 W1 m' o* L push 0000004fh ; function 4fh
) V1 @' T5 V! f C1 h& g8 `9 U9 W push 002a002ah ; high word specifies which VxD (VWIN32): ?2 M2 z& M' q0 t
; low word specifies which service
0 U3 n# _" _' V% G- ?/ h (VWIN32_Int41Dispatch). D( O1 A; S0 w! o
call Kernel32!ORD_001 ; VxdCall4 a( S) ^9 z* q
cmp ax, 0f386h ; magic number returned by system debuggers
# @7 P! K! }8 r% T @ jz SoftICE_detected/ a& v: D$ j+ ^/ x& L
/ m& X/ E9 N, ]: e9 `2 jHere again, several ways to detect it:
7 M7 b0 v, U/ e0 _) w, `- N" P' C) k$ U, X4 a3 B3 A/ P$ X
BPINT 41 if ax==4f
! N$ M3 ]! _3 U0 D3 D u: c4 Z3 e! G2 a) K. X5 w }- j$ J$ ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- E# @; L, R" t7 z" j# Q
8 G; {) S7 E: G2 ~# B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A s7 F/ X- o. v3 y! k
_. \& Y7 E( _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* N( l, ~! l! p9 {, i$ X# ^3 t1 v: w' d% ^' G- v
__________________________________________________________________________
% h; F! X2 D. Y$ Y: e) ]9 c% _5 I$ j( }0 |/ R5 A8 g, X% I
Method 13) A- d4 O X2 S9 A7 K# {) m) ]) z+ @
=========, G0 \" U9 G; I9 t' D1 Y/ b) l
% _- w# o$ W+ H& w! J$ `( B6 a; ONot a real method of detection, but a good way to know if SoftICE is4 N Z' v4 U! w/ y: {
installed on a computer and to locate its installation directory.
$ l* H, [0 }. X6 V8 y! O' bIt is used by few softs which access the following registry keys (usually #2) :. ` C, P2 t: n& Y; Z5 l) |1 \
+ \- P& F) n. l$ ]1 D: s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ]& |7 q) J7 Y" Q: p7 _
\Uninstall\SoftICE
9 b- _ n- m8 A6 b7 O" ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# Y$ t9 R& |* o7 S* p3 E! E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) s' d8 R+ Y$ e6 m* A\App Paths\Loader32.Exe* ]" a3 m B5 @8 Y6 O1 [4 x1 ]
4 X# G5 J; a/ A2 ]9 f g; N4 |$ Q6 k* A, n% a( I' y' o
Note that some nasty apps could then erase all files from SoftICE directory" y1 m) G, I" [- t
(I faced that once :-(% f4 A# t$ L, b7 p
j0 \( D) j0 I$ N1 i8 W2 O
Useful breakpoint to detect it:$ A- A- Z( R" Q9 o# x
8 ~5 Q0 c2 \" i1 S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# w6 Q/ d/ O% e: @
# x( g" _ R/ B: m/ Q__________________________________________________________________________
) e; \! _8 O6 Z; J [7 ]
( S0 [/ V5 V5 F4 O0 M: P3 \! H$ Y7 L9 S o8 s; S
Method 14 * ^' F K2 z$ g3 I" J
=========
1 I$ b' ?* }, s3 I8 m7 G& k/ J3 h7 Q, h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; F3 c( X) r( G9 v0 l
is to determines whether a debugger is running on your system (ring0 only)./ b L; g5 w% N" p- n' ]+ [3 i+ P( I
0 J8 `1 V$ i2 Y+ |1 E( u" ]* } VMMCall Test_Debug_Installed
& g0 i2 L2 T& s; i( e: c. M je not_installed
2 H# c+ b7 H2 G! I, E, w" Q6 p w1 i
This service just checks a flag.
2 E3 O: G) |& }! y, R% d& F7 D$ \' S! z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡