<TABLE width=500>
9 f' b, K3 K" m, F+ H& n: c<TBODY>
3 Z. f: M( G/ F<TR>
( Y7 }9 v( |7 o7 _<TD><PRE>Method 01 # [# P& [1 W! p1 C; j2 t4 O0 E
=========
; B) V( B' w9 c u7 Y
( S. a% y" ]4 D s' h3 MThis method of detection of SoftICE (as well as the following one) is- Q8 T& C- T3 k
used by the majority of packers/encryptors found on Internet.# x) g. g$ w) U& `) ~2 C- }
It seeks the signature of BoundsChecker in SoftICE
7 |" O# q) i, L# p( T9 u5 Y( F' c/ A/ T# ~3 u; B
mov ebp, 04243484Bh ; 'BCHK'
' x- K* g8 u' C9 u5 b) y mov ax, 04h
7 ?7 N' Q0 ?1 l1 H- z, a int 3 8 F# E5 ]8 F2 ^# D1 Q
cmp al,4) I" j3 M( R. D7 w. Y+ F
jnz SoftICE_Detected
3 A, ^, I0 N1 P: v6 I( O' m( C/ L, Z" |+ w7 h7 ]$ R* S
___________________________________________________________________________
* ~1 \6 P2 Z$ y, j' A) d. y5 `5 L0 Q# H% J. {* D( }. i; B% \
Method 02
5 Q2 h* f6 V. S5 u; D/ B# C=========
. Y- O a( {% h( V: L7 {' U" F
# q+ O2 T- H6 }8 A! |: @Still a method very much used (perhaps the most frequent one). It is used& u2 {5 n( d+ |' }' [ }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 |9 i* U( S6 r5 M& d& Y
or execute SoftICE commands.../ j( H) n7 L. r0 L
It is also used to crash SoftICE and to force it to execute any commands* P8 |( q0 o5 Y/ f. N; s3 e3 d
(HBOOT...) :-(( 0 K3 n' o5 h* _: a Y9 h T
1 e+ Q# k F4 y8 y7 JHere is a quick description:
! C, G" i a9 m$ r-AX = 0910h (Display string in SIce windows)" \# a; A% R# T/ Q- C# i) Z5 k: A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 @% y% L0 v% v' q( j-AX = 0912h (Get breakpoint infos)
$ @# o) S# n- W+ R: H-AX = 0913h (Set Sice breakpoints)- v& t; Q, c# e5 J
-AX = 0914h (Remove SIce breakoints)
& F4 R# h# v; L
& b2 n; V, G: R* D$ G; A! UEach time you'll meet this trick, you'll see:6 Z0 o7 y8 } w* P4 A P3 o) \
-SI = 4647h, x7 _; D0 K' a1 l5 d: C
-DI = 4A4Dh
& J0 w3 \6 i; U. S, g+ KWhich are the 'magic values' used by SoftIce.8 J" Z+ j) @) b5 t3 D8 f2 I, G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ U) L' z c% ]& u8 M8 D& k5 c X
2 x0 P$ l7 \& H1 |' W1 l
Here is one example from the file "Haspinst.exe" which is the dongle HASP- w. l l9 O9 s# N/ X' g9 o, I5 h
Envelope utility use to protect DOS applications:; w6 m9 J. r, t2 R% O
6 M. N8 x U7 Q! R7 Z3 j( q
: r. |3 {+ |6 }. m' X
4C19:0095 MOV AX,0911 ; execute command.
8 U6 B8 J6 _, M$ A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 A0 N8 h$ r3 y Z0 U+ O1 R0 {4C19:009A MOV SI,4647 ; 1st magic value.
3 l6 H: r# d, T( v+ p4C19:009D MOV DI,4A4D ; 2nd magic value.- ?4 T3 `( E+ j' d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% S9 }& V( Q& `, }5 _1 b2 K5 z: P1 a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 v- ]: h( e/ O
4C19:00A4 INC CX
& `9 N$ R& U) R- f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 n- V5 }$ ^8 l! ?0 l) Q1 t
4C19:00A8 JB 0095 ; 6 different commands.# S" Y: V$ r" q, o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 \: i4 v5 r3 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 }- s+ S9 c, a* ~( `+ y7 a5 T- ]0 h2 v6 E4 z
The program will execute 6 different SIce commands located at ds:dx, which; F1 {2 T+ a4 z( a0 j" w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: X& c2 C* Y: @. M2 A* ?$ ?# {
) B( u4 _5 B1 E/ v% }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( g0 C9 N6 e* h9 ]6 A! ^( s___________________________________________________________________________- v% b' N# b, r" M1 X( d8 z6 L# m
+ s6 Q0 k& y9 H, ?1 y9 p3 Q& S t5 ^. y' T
Method 03& J, S3 y) n% O" V- P
=========
+ ^! D2 K& q# Z3 n/ N$ }3 h u& C( p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 }9 R; m0 e0 H
(API Get entry point)
/ x; F5 B) m4 V* @ {# u b
n# T: t. M& ?# U+ I& \1 k @. e- Z; H2 ?. ]0 ~ j' P
xor di,di
* Q4 Y( s4 G' Q mov es,di+ r- t! u4 `: r; h" `2 g
mov ax, 1684h
' K h- n+ a" n: x/ A mov bx, 0202h ; VxD ID of winice
* S. P$ w1 V( ], ^ e int 2Fh
( }1 J3 J* C, V8 o' J) v mov ax, es ; ES:DI -> VxD API entry point
0 Y3 g4 Q% v; N. s9 C add ax, di
: ?7 e2 k$ T: q) K3 Y test ax,ax: C+ k6 P1 A6 Y3 ^( B4 |& n) \. o
jnz SoftICE_Detected
) Y* K& m7 E, w4 a& K: Z. [! H
* f7 T: R( I' y5 R) |___________________________________________________________________________
$ l+ ~- {* a% B1 d! C
# E B- c' w6 |Method 04# D% k. v9 Z4 N9 [
=========
' k8 ~8 H# u6 Y
6 i# y1 k; }: ?- Z& }( _# aMethod identical to the preceding one except that it seeks the ID of SoftICE3 ^* {6 }* X* q3 V
GFX VxD.. Y9 L$ g4 f p3 C3 a4 L
4 }$ l) l0 q# h( n! m* J& f0 x
xor di,di% O9 z; }" n0 L- S; f$ A1 H
mov es,di G. D9 R' @; v6 ?2 m( K
mov ax, 1684h
# C7 a8 `5 @$ v6 h" c/ b mov bx, 7a5Fh ; VxD ID of SIWVID6 Q) H8 \0 @' Q z
int 2fh0 [1 U- N# w4 ~2 u5 A7 D; }+ B# M) g ~# R
mov ax, es ; ES:DI -> VxD API entry point5 z0 x9 C2 w7 \" m7 i
add ax, di
7 O4 J1 }+ c0 t6 r test ax,ax* H1 `$ ? ?3 I# C; L- N: D3 f
jnz SoftICE_Detected
; d! \6 S+ W4 Y+ V; w6 _% W7 j# W1 a8 S) A0 U
__________________________________________________________________________5 `! F: Q0 `) s$ Y1 r
& u5 o# K1 w/ {* j+ k. X0 a$ L
0 u, t4 X* |9 c& h- o n7 aMethod 054 N s- y, j# p. p) h( Z
=========9 |, ?0 N/ Q5 z* B# V; {" d& w$ x
- j$ Z9 O! p+ j( `# \$ M! @Method seeking the 'magic number' 0F386h returned (in ax) by all system
; f4 y! e' G' c) R' Ddebugger. It calls the int 41h, function 4Fh.; j- p+ Y2 ^8 M$ o
There are several alternatives.
& c9 I6 g" e: g& ]( k" j$ y. r E z( ?1 z
The following one is the simplest:3 Z9 `1 ?2 E3 t8 C5 P, q
9 B) p) s6 x7 ?# R# Q; I6 {8 c mov ax,4fh
$ U1 } p( X9 b int 41h. R: k# z) C! _- H# Y* p$ |
cmp ax, 0F386, \, i: Z! N0 a# M: T$ a( t
jz SoftICE_detected! C' s( _; H4 r5 V- B
5 _2 A2 C' B# J1 Y. j
+ B, \( m& p, _! p1 c
Next method as well as the following one are 2 examples from Stone's ) Y1 D! n" b9 Q- S2 {1 s4 ]$ T
"stn-wid.zip" (www.cracking.net):6 ?9 w% X6 y/ t1 y& G8 e @/ h! O- T
7 L% j! [4 a7 d4 ^* v mov bx, cs
# k, G- q& V9 [- R o lea dx, int41handler22 B) D0 v9 l# L7 H0 K' C+ j
xchg dx, es:[41h*4]
|* _7 p8 x, B+ j. T9 Y0 ^1 n3 w xchg bx, es:[41h*4+2]- A4 v2 L& M$ Y# g1 e
mov ax,4fh
, k, r3 `4 \. c- F$ t8 l& U- ` int 41h
( s, p& A1 G) J! b5 w xchg dx, es:[41h*4]
( M9 u* K! G8 A xchg bx, es:[41h*4+2]
' `: Z/ x# C, Z7 R2 r# H5 L: L1 R, O cmp ax, 0f386h" o6 }9 D- U# W7 _7 n; H
jz SoftICE_detected
9 o7 N* b. k8 t' s. }
' p( a6 u0 a ^( `. Rint41handler2 PROC
' g( A1 M5 v0 F- B/ w. D. r9 x! Q iret7 K6 O" b7 G# S0 Q) f
int41handler2 ENDP9 i' y9 d5 T6 f4 k* H2 i
' O! c9 ]- O3 |+ m
. n+ Z" B& M8 \6 ] c1 p" a2 j" H_________________________________________________________________________/ I. P( v' y9 Y" B6 g8 v6 b0 d
/ [" B, a0 C" { ]% B
# u+ p% J$ R: k# {2 z% g
Method 06
; ]. k3 N: v- i& ]9 r=========
; @! z) N0 I0 E! N' p- d! a2 @: p1 A& R( s( g6 k! P2 m
$ j0 i/ S& D6 c# ?0 Y2nd method similar to the preceding one but more difficult to detect:
" y1 F: o! S7 j6 z: t3 X/ d1 e, |$ G; o% p9 Z7 Z1 E1 X
( m; g; k: L7 I6 V
int41handler PROC! j1 G! \2 M9 o8 p' y% Z! V& L8 n
mov cl,al
& W+ J; e0 e# z- P4 {6 K6 D iret" ]9 C e8 q: E5 m
int41handler ENDP/ b( `: V' e6 L* z. K7 z. s/ ~
5 a2 f0 v$ ^; P) I# G
$ Z: C8 i; I) I: S& ~1 h
xor ax,ax7 o( L& {) R: c0 u$ V
mov es,ax4 U* d# _/ g( V- j
mov bx, cs- D1 {7 {1 ?" H1 h" F" W# C$ n; P4 O
lea dx, int41handler
: G3 \: x8 n; p: k5 K xchg dx, es:[41h*4]/ P3 H1 x- t) ~; H
xchg bx, es:[41h*4+2]; s1 n- n/ \: m, P
in al, 40h
9 H1 V# b1 X3 x3 R8 V xor cx,cx4 b5 R* d* Q1 M8 t. `) U, B* g2 q
int 41h$ t+ p* Q* K9 z# K0 X
xchg dx, es:[41h*4]
; |; x: r$ X: F# [! ~ xchg bx, es:[41h*4+2]
- i+ t+ }" `6 m# F8 z cmp cl,al
: v' |2 s4 K& t/ i" {# x jnz SoftICE_detected# \/ Y, H" t* i: E
- v- x2 R8 d+ T) l& D
_________________________________________________________________________
! r* A& {9 c; o2 Y& \! E/ @2 v$ Y: o: w8 ?, d1 |4 M
Method 079 f# r `3 O9 d3 B
=========
1 C+ b7 w. {' J, R
8 V8 m& L! G1 M+ @: f' ^9 d; D8 sMethod of detection of the WinICE handler in the int68h (V86)
2 G# s" ]2 z' S3 b5 D4 a$ [, t0 O! `9 Z9 Z
mov ah,43h6 T+ w- g: j9 {% z) L8 [5 X$ M
int 68h# Q" N( N( J6 \. S# P6 H
cmp ax,0F386h
2 Q, U0 }& F9 Z! w jz SoftICE_Detected5 L% F' }/ w/ O1 n% y: ~. S
: l% O& r8 L( S, c" j
4 h9 Y3 L5 A( c( g1 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 A6 r, k, W+ s; F' E* M app like this:
+ E1 [$ n$ v* B" o* q" t* U% E7 q# I+ O2 y" Q" _4 B) X3 m I* p
BPX exec_int if ax==68
+ e" E/ y0 x& ^8 a* W. u% R (function called is located at byte ptr [ebp+1Dh] and client eip is
! ~/ N4 I, ~% p3 a located at [ebp+48h] for 32Bit apps)9 z6 t7 {) t/ l7 U) l/ ^
__________________________________________________________________________ i- g( h7 y( v6 X) P
; X: z6 C5 h4 |. R
& g7 [" m! U$ v1 B# s8 G0 EMethod 082 J# N& K- D/ |( q
=========
8 n' e# _! b: K! g+ U6 S; N) g& z4 [5 y" T
It is not a method of detection of SoftICE but a possibility to crash the# @3 h1 T5 Y. F0 r' _$ T8 D
system by intercepting int 01h and int 03h and redirecting them to another
4 H& u9 `* h0 {0 O" o- p lroutine.
1 |9 c5 v: _6 y4 f* QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! L) x# x" e6 o
to the new routine to execute (hangs computer...)
7 c% c0 V7 x2 T3 s4 ~1 D+ f* k- M5 d: v
mov ah, 25h
! O: _5 [1 _$ ]/ F: \+ P s) H mov al, Int_Number (01h or 03h): N: p! m# x: `
mov dx, offset New_Int_Routine0 L6 ~" E! ^ ]7 O7 _' ?/ V; O
int 21h
7 r9 j8 _3 s7 c9 P& M9 S
5 h2 I1 q8 ?! R# V__________________________________________________________________________
( X' h) p% }( F$ A- M; \& R; C! ^) \, l9 {1 ?( M* ^
Method 09( k& H; E' Z2 g; `
=========8 C- c, Q9 R3 \- q8 a
; R1 Z5 Y* j; V2 J1 ]: V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 \% x0 J, K+ g1 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ ? O. g. O! L. OThe Get_DDB service is used to determine whether or not a VxD is installed1 ?. x5 ?! R/ U' J, G2 {5 o! p
for the specified device and returns a Device Description Block (in ecx) for9 n( T, G9 B, ?
that device if it is installed. g- l9 S x9 P; s; Z/ G4 @4 Z3 ?
0 C4 g* R2 z) d5 e, E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 o" ]& U7 |, \6 Y5 i1 c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, I* g# Q" R$ S4 O9 P VMMCall Get_DDB3 X2 [/ {: ?3 M" f# x9 ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, X) A4 U9 C$ g4 x5 V% e/ q
! k& S& z8 `4 l" d" M3 W, H: _Note as well that you can easily detect this method with SoftICE:
$ }9 ^/ G2 b9 S3 |, R! y/ d bpx Get_DDB if ax==0202 || ax==7a5fh7 \9 `: q) d7 C% n6 i
2 S1 A6 r; {- c* d* M
__________________________________________________________________________9 b& r4 j5 [! ]* I$ q; i# i/ B! J6 B: L
' v5 W& S( Y3 o% R! lMethod 10
) I: j" X7 N6 t5 `7 f% W' H) z=========- l6 M2 I# B, g w0 h }# ^2 P3 G
* ?0 y* s& C" o# ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ T3 n: C& k3 }5 } SoftICE while the option is enable!!! l1 p! L1 V9 o7 x2 h
7 V! V: k. W ~6 o/ @
This trick is very efficient:+ U. n$ H( F# v' K* v9 J$ C
by checking the Debug Registers, you can detect if SoftICE is loaded
- Y/ L0 t, Q( P' }% O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 j' s* V1 c/ m, I( R4 uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 p8 B. f" J8 N$ m' f2 T0 ?6 q( wvalue (in ring0 only). Values can be manipulated and or changed as well
- B4 M+ v# ^1 d7 R: R) J5 l(clearing BPMs for instance)* r- l8 Y f( S: h# o, z6 w8 C
! ]. K* u" r- Q; A5 S$ l__________________________________________________________________________+ E5 I# o$ L7 o" x, W2 R- c2 L
5 d) B' a, `3 s, Y3 bMethod 11, Y9 w8 G& s6 Z2 V, Y
=========% g5 s1 y: y# F
5 |; ?( o' k9 b7 m
This method is most known as 'MeltICE' because it has been freely distributed9 P* R4 H \$ @% K0 }
via www.winfiles.com. However it was first used by NuMega people to allow' n/ t, {6 U8 z0 `
Symbol Loader to check if SoftICE was active or not (the code is located
0 p0 G: n) S: u7 X5 E: b/ Minside nmtrans.dll).4 b2 b1 l% A, z
4 Q) B+ J" K) T' w& [7 h! xThe way it works is very simple:2 R6 {8 [% n) B' o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 X3 }2 a" K5 n3 v& ?
WinNT) with the CreateFileA API.2 w; p0 q9 @# ?7 G" `. K
# ?: L9 w- Q* M) J
Here is a sample (checking for 'SICE'):
& f: M5 v% n9 s8 k" M% R* a; c& ^; Z& m4 p7 S
BOOL IsSoftIce95Loaded()
8 f n) O8 d4 l" ]" S{
; c4 n; m3 k& Z: o( o5 S; I HANDLE hFile; 6 ? n. E# y* z7 q' R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# d" ~8 n, s% g& S8 G; |( t" s- V. c FILE_SHARE_READ | FILE_SHARE_WRITE,$ \6 m& }. W, X4 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& L3 C" K; f4 _5 p, v8 M2 D if( hFile != INVALID_HANDLE_VALUE )
3 B. s, D! R* I) f7 |* u {/ `3 D! M) C' C \- N
CloseHandle(hFile);( c3 N2 ?" W. ^$ o3 A+ p# {
return TRUE;
/ j$ ?$ F9 S+ [ }3 X: `8 U$ p% j5 ~, \. G
return FALSE;
. y6 P& v1 v B6 C}
8 ^0 n8 u, {" V: R$ o* i. C1 v4 G$ X2 A: f* Y
Although this trick calls the CreateFileA function, don't even expect to be
1 l, o1 R! N* j: Bable to intercept it by installing a IFS hook: it will not work, no way!
* ^' n" f# I7 e. q- e/ H& dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 @' Y% Z- v! d, x& G+ ] pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" v6 r" o! m1 A) b. C" @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ p! B+ [5 k4 Q Yfield./ b2 N7 B6 ^: r D6 k
In fact, its purpose is not to load/unload VxDs but only to send a
% o' A: p2 S0 }9 }4 X# w eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. R: Z" I q3 gto the VxD Control_Dispatch proc (how the hell a shareware soft could try( L, h0 T, U: y& @' V% P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! u2 G) A" a7 q6 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow( [7 }: O: j9 p1 \
its handle to be opened and then, will be detected.
( @0 |5 c; I9 e. FYou can check that simply by hooking Winice.exe control proc entry point
. y) \) I2 \8 B- `6 ]6 ~. ?while running MeltICE.
' N3 `2 G3 i/ {$ i* f; B* L* I6 C+ f7 j* c4 K% N
3 i* e5 M0 S! l! n' `7 J7 r 00401067: push 00402025 ; \\.\SICE5 m7 w8 h& y$ l& o
0040106C: call CreateFileA
* i& h7 a1 H2 _. ^ 00401071: cmp eax,-001
+ ^: K* q: b& d1 @" t 00401074: je 004010914 E6 w, o( |0 x! f& |: {# v
5 j! u8 U6 {5 y( @% s5 \
' H) @% G3 l* n2 H" G, }* N1 P
There could be hundreds of BPX you could use to detect this trick.
$ Y5 q8 X6 K1 e1 C/ t-The most classical one is:+ q0 } p& A5 N- P- G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 z& ]& t( P/ |7 }' j6 q *(esp->4+4)=='NTIC'
- ~& B0 W3 _3 O7 E6 c8 S! x& t) V) X, H+ w& u& q
-The most exotic ones (could be very slooooow :-(: w$ {- B. J! T0 }* \) G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- a# `' X3 l7 B! A# S4 Y ;will break 3 times :-(
- ~0 ?! O9 [& d: l+ m5 O# G
+ D% O$ h$ Q4 _& f5 u- U-or (a bit) faster: " X! n/ a( r$ X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 u+ w4 G u- S: x7 [% t
6 N+ C5 B" b9 W9 q# N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, p. o/ M/ f" R, o4 |7 s ;will break 3 times :-(
; L* \( }* ]; f' M
7 D `0 J* K) h; }6 Y; G' d-Much faster:
- u# `3 o2 I+ | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& A3 E+ c4 j- c1 V) J" E0 h
9 ?& l' w' I9 z2 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; A+ x6 s( O' g' j
function to do the same job:! y9 x: \4 ]; j
5 k1 p1 f% x+ _ ?4 n8 @
push 00 ; OF_READ
, M4 Z) g! @6 ?9 g& { U mov eax,[00656634] ; '\\.\SICE',06 j- A' l5 L: Z: t
push eax
9 \, Z: C; ~9 b( q' V& L) V call KERNEL32!_lopen& L7 I9 t" }7 H! t! n
inc eax! `* ~! A8 U9 z+ `! }4 r1 ?$ j1 a+ B A
jnz 00650589 ; detected- l1 r' u" D4 ~& m# m
push 00 ; OF_READ
3 ]# c, d4 t0 t8 Q mov eax,[00656638] ; '\\.\SICE'
9 a, a# ` n/ b8 J4 ]" n push eax
0 Y4 H. f' \* X |9 R O, p call KERNEL32!_lopen
2 u) O7 J( w; O# Q% o; x inc eax+ y1 _/ g# S$ X6 ]" O+ V s Z( S7 U
jz 006505ae ; not detected
" \! J } U$ z" n* X0 J: r( n/ {1 |2 K1 i z5 N" u6 p
7 M1 J, X2 G$ B& Z- g$ b
__________________________________________________________________________4 z! }+ q! @, V# U
8 p2 g- v( `, K4 g' E5 {
Method 12
* I& A7 n% b+ L8 n=========
9 b* d/ {! }$ W7 u4 H6 E. I8 c- m% W$ M4 g! d" J" H2 l V$ e( Y, E j. L, T
This trick is similar to int41h/4fh Debugger installation check (code 05
/ f. U7 f( Y1 W( V d! t& 06) but very limited because it's only available for Win95/98 (not NT)
! X; f( I( }8 g1 B# _2 uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& r9 p; E7 r- g1 C `7 Y" c% y& j5 M7 ?1 F: ]* Z' u
push 0000004fh ; function 4fh* E m b' u/ P" ]% e* Q; l
push 002a002ah ; high word specifies which VxD (VWIN32): `3 @& \8 s- `6 r. y
; low word specifies which service
4 V/ g, u4 V7 g% @3 A) _4 E, i (VWIN32_Int41Dispatch)6 N1 \/ x2 A- A$ x- y1 R9 y( k2 L
call Kernel32!ORD_001 ; VxdCall, _3 H4 i5 i) h
cmp ax, 0f386h ; magic number returned by system debuggers, j0 X8 x2 V% }8 o" L4 E
jz SoftICE_detected
7 r& u0 \0 D. N( m7 T; X. u
5 _$ v+ @2 s: D# D1 ZHere again, several ways to detect it:
1 f+ r% v5 x: f# h) @, c w* r( `" S, O
BPINT 41 if ax==4f
7 @5 p4 n$ J: \6 r5 [* l! N5 W0 ^+ n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 p9 i K& D0 y# @+ h
5 A( C S' h! z- T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 U4 ] ^ Q9 A2 a$ l' z% \
& M$ r1 w, M) h" |' ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ ~. q* }: y8 G/ B# p$ N
3 u1 c, ~1 w' d& H; N
__________________________________________________________________________
T; f3 ~ y) l+ d8 ^7 b. F* U' `
' F5 j% S: s& j/ @Method 13
3 l' q4 _/ v: A( }! Q4 \8 @=========- ?, J0 C* [# ?/ s5 W4 o
( o% H" d/ J4 vNot a real method of detection, but a good way to know if SoftICE is
# r# q+ j% o. k6 t( Einstalled on a computer and to locate its installation directory.1 _* ]+ q# ?/ A$ Q* [7 ^$ W
It is used by few softs which access the following registry keys (usually #2) :$ o% _# g- ` s* k
7 F8 z- u9 E$ x) R0 h1 I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ O7 X. ?1 Z j0 ~2 u\Uninstall\SoftICE
+ G6 v- j0 D" s7 c$ K+ t. x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) T' Y8 b" Q5 i0 ]1 R# j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& s* D. Z1 O5 j0 T$ m\App Paths\Loader32.Exe7 H/ \7 J/ |$ z9 ^2 n- n8 [
7 _' U" ?+ ~& o5 G" ?* s! [, _
% C7 F4 T+ j1 l' D) [Note that some nasty apps could then erase all files from SoftICE directory3 @4 i+ n9 Y8 o: _7 e) A
(I faced that once :-(
3 I; @- N1 l7 a0 Y$ x, T! }
1 f5 Z' b( s8 A. B/ QUseful breakpoint to detect it:6 L0 A) X- R! D8 k& \% d4 \! [! w
# L8 C: O3 O& c& G6 H1 ?2 k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# K; t& `$ p% l0 p, w; q3 v
* a) _: h1 T6 H' ^
__________________________________________________________________________
0 I3 G! T9 F9 p) B! ^7 C8 s" C4 k8 ?6 c* ?% R* q; r0 d. q
4 {' Z' O( T4 G& SMethod 14 # k- T( @$ U5 p! s% K7 l. F+ p
=========
Y6 d1 C4 d8 b# }$ ~) K- r9 X4 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" ]) K7 n* D1 L4 cis to determines whether a debugger is running on your system (ring0 only).
" U- ~0 V/ `! }8 F* |: c! S& v! ^2 H( X) K
VMMCall Test_Debug_Installed% ^! `3 |2 N" w, ^. | l
je not_installed
7 O C8 W3 p4 X) F- G/ u5 V
! U, O0 [5 T/ Q1 C; t7 S- K0 Y gThis service just checks a flag.1 k, p9 v N8 j6 p) d: ~7 N
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡