<TABLE width=500>, X& @' X2 i: R, [7 w0 f/ U7 D
<TBODY>
; ]; z: }+ a7 C& }% ]8 W<TR>
, V8 E' t$ L7 [: u7 F<TD><PRE>Method 01
6 p- X+ n$ b6 n% R5 n+ r=========
1 |/ N# m/ u2 D
% E% O( I8 t- f' u: rThis method of detection of SoftICE (as well as the following one) is& C7 X( f7 [: ?$ |' {3 r& A. ~
used by the majority of packers/encryptors found on Internet.
1 G0 P: K/ Y% e( V8 ?It seeks the signature of BoundsChecker in SoftICE
1 {7 I0 V# d7 d5 v* s6 f1 G e3 Y/ g6 A) F& N1 T, i2 p
mov ebp, 04243484Bh ; 'BCHK'2 K3 s! T) F# x0 L3 F u
mov ax, 04h
" ?" [. P& x5 ~4 | int 3
7 o$ J5 p- _7 Y ` cmp al,4
9 L# d+ {1 V+ |- o) q2 ?. Y jnz SoftICE_Detected
6 G. ~9 k0 M; W% a; J- F7 B. \3 {2 X9 X* r% P# D+ |0 E
___________________________________________________________________________
s; X- J7 w* G" b k R) s# x7 H7 H$ C5 H
Method 02' B7 B+ n9 ]9 o
=========
5 Y( a: v( X; `" G5 _% [! ^0 ~+ o# |4 t: w2 `! O' j
Still a method very much used (perhaps the most frequent one). It is used
7 L8 q( r# f; M/ Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ [, B( g$ l |& C2 Mor execute SoftICE commands...& A" k J4 ]& P' L9 J- E
It is also used to crash SoftICE and to force it to execute any commands6 m5 W' Z% W9 w6 [7 n% Y* F' C# ~' {
(HBOOT...) :-((
% e; l: v" Y3 G i/ i% }+ d/ h- r: b D; X
Here is a quick description:! t2 W; o$ I$ U! Z* U0 \
-AX = 0910h (Display string in SIce windows)
4 d# ]; H/ L( v0 L% Y3 |7 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), H4 d, M5 J. C
-AX = 0912h (Get breakpoint infos)# {) i# `# ~8 i# e
-AX = 0913h (Set Sice breakpoints)9 x/ V' ^% I/ |/ [
-AX = 0914h (Remove SIce breakoints): ~0 \; q. g! z6 n$ t
0 R4 m( ^& K' O3 M/ r% vEach time you'll meet this trick, you'll see:
, ]+ c3 V/ P) k: C. e8 C" \-SI = 4647h8 P& [' P$ |' a q
-DI = 4A4Dh( r6 W6 M) W2 ]9 c3 M
Which are the 'magic values' used by SoftIce.
! h4 A% H# _8 Z# TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* a# h2 D& R' T2 w* G
6 D& h: }2 i% m# c
Here is one example from the file "Haspinst.exe" which is the dongle HASP" ~: ~% U: m+ y/ a
Envelope utility use to protect DOS applications:
) m# Q- f0 |8 f/ e1 ~6 N9 ]8 L* s
9 I" Y F2 u! I) O0 a1 S5 q/ T/ R! o2 r d2 Z, x
4C19:0095 MOV AX,0911 ; execute command.
; @1 x2 }6 g5 L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 T1 U* e' ^! P$ T' K% T, f3 A/ ~4C19:009A MOV SI,4647 ; 1st magic value.
# C+ {! [$ { C4 k9 S4C19:009D MOV DI,4A4D ; 2nd magic value.
) h/ S# P' c" Y* q6 e3 z' h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). i+ C6 y1 H5 ^- }) ^! k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 h2 l1 J; a0 e' p# j6 E/ R
4C19:00A4 INC CX1 f, D$ P( @1 U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 W! F5 p; }4 x( R4C19:00A8 JB 0095 ; 6 different commands.+ p D9 i& h; }6 l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- y/ N# F4 H) l2 B' m5 j- g% [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 M5 G4 F( Z/ |0 Q6 Z5 o0 f
' N3 ?4 }. s, y! n: s0 g5 |3 a4 I3 u
The program will execute 6 different SIce commands located at ds:dx, which9 n& ]0 g7 S9 \! @( K" A% \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ @0 K2 ?/ a2 z
4 y2 \0 C& o$ h( u2 O- @" L# h0 f E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 P/ a2 g( N6 F; H' X) {___________________________________________________________________________* z. W/ ]% @$ @& p
# o) \3 s4 k7 |# _' B2 i6 b( w# p0 b+ o* I6 _! g7 H0 y/ {5 b
Method 03# {# @: q3 X+ G* w+ Q
=========5 P: B/ O8 r8 K$ Z2 o7 }+ H' I
4 U! _0 G: r3 P' g% w" l' YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: z9 v6 i4 p# X; `2 y! q7 \
(API Get entry point)
8 D5 t( `& G+ D8 r8 t( W+ p `! T ( ?* w, {0 `/ N4 ]( b9 E4 v/ J+ A7 _
* }. O2 C" C2 H8 s. M xor di,di; y* o. \$ v" y) ^; E( Y9 j. J5 w
mov es,di
7 v: r3 R3 F! C mov ax, 1684h
) c# s0 M3 t* `2 J, k+ m mov bx, 0202h ; VxD ID of winice
2 z& F) O( V* C5 z. e int 2Fh
/ ?5 j) ]$ u! c# Q8 | mov ax, es ; ES:DI -> VxD API entry point
/ L! W* S2 g& I- C& o; H add ax, di( V: N& I0 Z" k
test ax,ax$ \# s* G0 g* q+ K9 O: Q* a* F
jnz SoftICE_Detected+ b" B9 l+ f2 T
8 m" y* f% D2 w6 C7 J6 b# X% u
___________________________________________________________________________
1 @" r& o2 Q0 t( v% U5 ~; n! I$ @6 l
' b2 ]6 J1 \1 {8 B% KMethod 04
( N' Z& Q! Y4 t; G" v$ ~) I=========. R; Y9 I7 I% ^" \! J
( o, @: z- ]. _5 l( Z" c
Method identical to the preceding one except that it seeks the ID of SoftICE
! R7 A1 m0 V* B# n2 DGFX VxD.
8 j& D9 e& W! T/ G% v' a$ E/ q
% \+ ^. x" ~' ?! J# u xor di,di
6 G; U: A! Z S- _ mov es,di
' @# Q q! R$ ?9 R- [, k! S mov ax, 1684h ; m, \5 B. O% l, q6 \7 X
mov bx, 7a5Fh ; VxD ID of SIWVID
. i0 d: }. [# p1 d+ n* N int 2fh: c3 Y6 E/ J: |7 u8 f; m
mov ax, es ; ES:DI -> VxD API entry point! a& c; g$ q3 U( a- ~* E3 _6 W
add ax, di
8 \. n! A( d5 | test ax,ax" I8 y6 y6 E5 w
jnz SoftICE_Detected0 ^2 u' S1 f4 m0 h, {
# _' S3 O0 u L5 H+ _5 w
__________________________________________________________________________: Z$ b% n/ c& ^, O$ B7 _1 O
6 O) R! c( y' _' t3 M
: t. O- J- p# AMethod 05
6 n. L9 Z. ?8 L1 F=========# `, k5 W% l: w7 J9 }
3 M" [ H, L! k- c& k1 n6 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system& a$ d9 a' H2 b" c h1 K a1 v
debugger. It calls the int 41h, function 4Fh.) X4 L% f$ B. E* @4 c4 i( g
There are several alternatives.
2 c) r$ N; G& j( ]+ Y* X
$ B% K0 n" U/ ^, b' T% s- f+ wThe following one is the simplest:; B L1 f1 ]8 W# w( S q
# b* b9 a3 @ D6 n
mov ax,4fh
% A. y4 }1 z q$ W0 `! C int 41h6 J) n" {" d% s/ U' @
cmp ax, 0F386, p0 P m; c& A% ^! B- a& @1 c
jz SoftICE_detected
7 B. C* O& }" B/ u
! N5 R+ w4 i& Q3 Y& e) `
" P5 q1 k, O" c; tNext method as well as the following one are 2 examples from Stone's
" f |0 z. c6 r! l"stn-wid.zip" (www.cracking.net):
. y7 K. l- M+ Q( J0 {6 T8 k$ @: a# z4 f$ H9 l1 u
mov bx, cs
6 @' V. P& P7 y: a ~ lea dx, int41handler2
4 }) @: Q/ r) l" U. Q xchg dx, es:[41h*4], ^' n. s d5 W0 O" G1 }7 `# V
xchg bx, es:[41h*4+2]$ @3 C* l! A% p: h, y/ i
mov ax,4fh: `# `' L; O- x% A) D6 D* ?
int 41h% O( O0 e. n2 w' x1 P L( t
xchg dx, es:[41h*4], [9 Z. D' E/ [. i% P
xchg bx, es:[41h*4+2]& x$ `9 x' ]2 U: n1 {+ }7 P
cmp ax, 0f386h r9 r( O: o0 n, H( V
jz SoftICE_detected
9 c: x9 y! |+ Z9 M. V2 C$ i/ V- E# Z. X
int41handler2 PROC4 S8 t+ O$ w9 B4 }- q% ~' j
iret
$ S6 L+ x2 C: v& h Jint41handler2 ENDP
- q; C+ u- g3 e3 h8 P6 B3 w
: p: I- o0 F }! J
0 K( w; e% \: |' N5 x6 ?$ S_________________________________________________________________________, \* M7 I9 {3 i2 R9 d2 ?
5 S2 N8 Q* V% X$ U6 J2 V1 a$ D: r8 U6 m; d
Method 06
4 W8 D9 R9 c6 E* I6 V) l=========
$ l/ C2 [+ ^* G! \9 H c7 T4 o- h2 M
+ I4 r% \1 w' ]5 @+ o$ Q
* Y$ u# m5 ^. W2 V+ O; o* t! o7 v2nd method similar to the preceding one but more difficult to detect:5 s" B# O& x- s5 v* z
) {8 ^' d7 o3 t& F, v) a$ q6 a8 z, Z8 `
k" W1 Z ?& m; B
int41handler PROC$ G/ X+ C, h: f) F8 E
mov cl,al- e5 k; H0 X: ]
iret
6 D2 i7 a2 C; |; Wint41handler ENDP) {2 n9 Z& t! J' h2 n1 ^( y$ e
6 X# V" R/ s7 W+ B
1 N+ \7 W/ C! T0 [7 |( V% o
xor ax,ax1 S* c# h7 X! {# ?- b5 j( \) B2 @
mov es,ax
" d2 n& f% u" S mov bx, cs
2 H. M% V8 @+ j& G lea dx, int41handler
/ o& |5 _) R- V/ u) l xchg dx, es:[41h*4]
! } T$ q3 x: i- A xchg bx, es:[41h*4+2]- c$ W' ^8 q' W8 U! ?5 U4 j
in al, 40h
7 ]. r9 }) R! r' {: `/ y+ e xor cx,cx
2 r e1 P8 X- {/ X% [5 W# m* S int 41h. ]9 `" e- a3 r3 P6 f% m
xchg dx, es:[41h*4]' b3 j% m4 d: M& y# I
xchg bx, es:[41h*4+2]6 H; c9 |- g8 u
cmp cl,al
' `5 E$ Z0 B. u jnz SoftICE_detected
& l9 x1 k T: ^' ?' P+ @, B; {$ Z6 S' G7 \" e3 x/ C
_________________________________________________________________________
* m1 @6 H6 n; _ ]1 E C& d& z+ U* j L) c* d# Z$ v
Method 077 s+ G# X" c/ U% r' j( ?& L
=========
N \1 v% s2 p. X/ B/ A V7 ]$ ^4 K% Z5 `0 k6 b
Method of detection of the WinICE handler in the int68h (V86)
" p( }' R8 k- P m j. a$ ]+ }2 P7 o1 S7 ?) r
mov ah,43h! x& k/ ^- a9 ^9 D4 A
int 68h
. J8 ]# R2 q6 a* {+ K* O cmp ax,0F386h! r# L& q0 r% u( f3 M
jz SoftICE_Detected) d% Q$ g* X! F7 ^
# r1 [2 u# `$ s, [" J, c
3 V1 O; H* ]: [2 g. P. I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 a( _/ {. ~8 _8 X1 R" b: z
app like this:! Y& l' }$ S3 {
+ X }- i C/ {+ F. U' ?. Q
BPX exec_int if ax==68
3 O' x% C' Z' L& D: P8 Q3 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is1 ~2 W- K) O! J! d @% p; @3 K
located at [ebp+48h] for 32Bit apps)
" \. w! u! L( x__________________________________________________________________________
0 s7 O, x2 }2 a! }0 S
4 }& ~, U5 K4 ~7 k* x2 P
% [2 @" l9 b/ H; t8 bMethod 08
8 T0 h8 U% h5 e0 k=========
& b( W0 g7 b* f8 O/ Q# Y2 L& a& a7 g' Z, ~6 O3 {, T
It is not a method of detection of SoftICE but a possibility to crash the7 ^- `& B2 h! F+ U
system by intercepting int 01h and int 03h and redirecting them to another, e4 O0 ^' x) d5 @2 n4 x, q
routine." y6 o. f |- y3 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 R" Q2 k, e1 D3 ~( ]( C* ]to the new routine to execute (hangs computer...)' m; r- e3 x0 S/ S& f0 d
\4 D2 ~* B3 { }7 J
mov ah, 25h
$ _) ~5 W" \: b* g2 x2 r mov al, Int_Number (01h or 03h)
0 [1 X; R* G6 A5 D' n# T mov dx, offset New_Int_Routine
8 @* I2 D2 [% x" e% T int 21h1 O! r: }: ?* J, l. R* h
) O. [3 u x: z__________________________________________________________________________4 x" g: f2 q5 P" `9 n
3 w. }) x, q* Z( r/ e+ k1 e
Method 09
) Z+ X- q9 a( W5 B; u4 T' n=========' }# E0 M/ Q- }# g
j* V" l/ m& G0 u) U4 s, IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only C' S/ J) i+ _+ c0 P
performed in ring0 (VxD or a ring3 app using the VxdCall)." J4 p# R9 b, T6 O1 A6 I" j
The Get_DDB service is used to determine whether or not a VxD is installed
" i& o# B n! v' W' _ E+ F& sfor the specified device and returns a Device Description Block (in ecx) for
" e F8 }. ^! O0 V, F% t) I: O' ethat device if it is installed.* v8 k2 ^0 W9 Z0 M- ^
8 b' N6 _( c2 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ I! `8 k0 a$ Y: w2 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! e- N% w5 R7 f* U/ x VMMCall Get_DDB) ?. s8 ?2 e0 L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* i. [- R: G5 [0 ^0 [% y- {
, i+ M) l2 O$ E R; x
Note as well that you can easily detect this method with SoftICE:
2 |: M8 `& {# }& d$ y) { bpx Get_DDB if ax==0202 || ax==7a5fh
' U3 Y9 p. E+ \. I( k; o
5 |4 h3 e( Z$ q# q7 v$ a$ d__________________________________________________________________________
: B' F& z j! X2 ~3 q1 | |+ u2 w! \9 F% |6 u
Method 103 L* R7 S J5 Q. H# F" ~
=========% [* |! D% o# b" }8 w) d% V
# G5 P4 ~8 A g. O1 W=>Disable or clear breakpoints before using this feature. DO NOT trace with8 i) Q/ M$ t+ u7 r7 d- }! G
SoftICE while the option is enable!!
, K' [- ^6 q' b6 A5 [8 H. q8 K8 O) |: e; r
This trick is very efficient:
6 w" m* J5 e# _by checking the Debug Registers, you can detect if SoftICE is loaded9 j* V' u$ @7 ~* ]& P1 o0 @9 k! [- p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) }( e2 |. t. K' z+ L
there are some memory breakpoints set (dr0 to dr3) simply by reading their' _9 w/ p, w! V
value (in ring0 only). Values can be manipulated and or changed as well
- T# Q; N3 y5 l) C+ X) W(clearing BPMs for instance)1 s- J* k( R' v3 Q- l3 ~! z, j0 N8 o
1 E* T" ~ l) a4 j# u/ K6 P1 L__________________________________________________________________________
$ T6 n# ]9 _' i( P& B- V6 o, U' S, r; |% |7 \+ _# k, v+ a2 x
Method 11
' s+ c ^2 k- N. Y) \' _' l=========8 q0 d: n) n+ V) v* l K* }
$ t; I2 E a0 f
This method is most known as 'MeltICE' because it has been freely distributed
" j; s1 o' U2 o( n8 Yvia www.winfiles.com. However it was first used by NuMega people to allow
1 W t+ o# K) sSymbol Loader to check if SoftICE was active or not (the code is located: |! K9 P6 }$ B- W1 \; t
inside nmtrans.dll).1 u! p; o2 p" j1 ~3 t% p
) C* }; g$ u) w- Q6 ^! B) s
The way it works is very simple:
2 B0 n ^ {, q, XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 {( ?! @, s+ l* J4 L. T# n
WinNT) with the CreateFileA API.
- y5 f0 I: S$ `8 x, a2 [! u4 Y0 }3 O( J
Here is a sample (checking for 'SICE'):6 L3 [9 k" K" w, @, M
) Z+ ~* @0 ?, M/ v9 t
BOOL IsSoftIce95Loaded()9 s5 V) a4 m- b* u! y
{
1 [: {# _! I) s) m HANDLE hFile; $ s' V/ D$ `* ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
f1 W9 G9 L7 _; ?% H5 {/ i8 \ Y FILE_SHARE_READ | FILE_SHARE_WRITE,8 m* Y w! D i1 ]# u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( ]; j3 O+ U! D if( hFile != INVALID_HANDLE_VALUE )! @% U, g* X! d5 @4 j N8 ?
{% `8 ~' c" h. ^% g) k. |
CloseHandle(hFile);, f; B# O9 ~0 u% p: o. x
return TRUE;
* ]7 i6 {7 h4 R1 C0 ` }, l1 Y& |% u0 o4 c' {
return FALSE;& P6 p) m0 K8 }; g
}
* r2 O" V6 m8 C3 j2 S) t/ l9 F& h7 y- Q3 F# J4 p9 H
Although this trick calls the CreateFileA function, don't even expect to be3 r/ v3 m% }3 J" e) h
able to intercept it by installing a IFS hook: it will not work, no way!
8 A/ K/ z B' l! {, B r1 l4 c5 b& kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( u3 w' P5 b8 F8 U% s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, q; p/ }) ?9 U$ ]$ [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. ?4 E& j( K+ ^2 W, V8 S: bfield." n4 }; x3 _2 G$ V6 N0 `
In fact, its purpose is not to load/unload VxDs but only to send a
8 U' ~/ M E; R S1 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) m9 x) e" W$ h0 D5 c: u$ @' n& }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) d( @* c2 V/ h- f; [0 \" o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! g3 v: x6 c T0 \4 K: ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 x, p* t" d3 @+ V
its handle to be opened and then, will be detected.! X- U/ h8 J8 g2 v
You can check that simply by hooking Winice.exe control proc entry point
% h6 q6 t. H; c* X4 @8 Fwhile running MeltICE.0 U; H" x" ^9 P, r+ }
( ^2 D$ v1 ^" @: [
& N$ b( Y7 p8 [- \ 00401067: push 00402025 ; \\.\SICE: F3 `# r5 h1 J) j7 ?) Y2 Z+ e' j
0040106C: call CreateFileA6 D: @# ~% q1 M
00401071: cmp eax,-001) ~, _. f- e+ }2 m; z
00401074: je 004010914 |3 ]$ ?- e6 ?9 A+ o/ I8 i0 z
8 D* L& z9 c9 Z8 h9 T
5 g9 y5 n0 h) c+ xThere could be hundreds of BPX you could use to detect this trick.1 h+ l$ e5 L( y2 U! x, K% z
-The most classical one is:
q' y3 _& x1 b; {$ F! v2 G! ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- E% C" F* f G: `, x! L0 k7 S
*(esp->4+4)=='NTIC' N; Y; b4 T6 ]' o3 R0 D
; L, t7 a3 C% c-The most exotic ones (could be very slooooow :-( n: B, ?$ S4 u8 {7 C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ e( s7 v' l. Y! ? ;will break 3 times :-(
- S- ?. i) m7 @/ h+ ^1 k
5 O* z8 z9 L+ G0 \-or (a bit) faster: " S# A: J4 s- n' Y3 a" g- d6 g9 e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ E) Q+ L- S) G7 D% C, J+ T0 u
1 R6 I3 e( l1 N) [1 I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ T* k- h8 u, T7 I* e ;will break 3 times :-(
& H; V% L7 ~# A# A1 R
, D8 g4 @3 m+ f7 X$ k# r& Y: r-Much faster:# T7 D- j1 Y: C* [, z- |) A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 f- Y- m' t5 ~
+ L u* U/ L4 K: N! _( S! DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: x) @: @5 }4 \% ~- c
function to do the same job:
* i- s! R" G& M! _
3 q% k7 b3 A3 Q: J1 ?3 E push 00 ; OF_READ
9 z( M6 `, q% U+ m5 }' u mov eax,[00656634] ; '\\.\SICE',05 U, o: O( e+ l2 K
push eax
2 U7 a" n' l! u3 d6 K call KERNEL32!_lopen
% ~2 p. w7 y" Y inc eax
/ G& d+ X" D' }- c2 C$ @0 s jnz 00650589 ; detected2 }. I4 G: n# \9 t P& a3 _( f
push 00 ; OF_READ7 {% w, V' L, H. Q! _
mov eax,[00656638] ; '\\.\SICE'
$ w' M e3 a+ k. ], l8 ~" T push eax# } s$ E& W( _/ K5 w( ^( Z
call KERNEL32!_lopen0 j/ r1 D$ N& ?- a$ K. c% X* J
inc eax: k7 x0 [! V6 u5 t6 W. r
jz 006505ae ; not detected
" _0 i6 u# z+ I& D9 d
. E+ |) l* X2 [1 m; f
2 c# w' J* }4 c- S1 k7 u5 b) `9 ~9 \__________________________________________________________________________' k' t$ x, a. q' | {- v! Y
; p& [/ Q# j+ E1 L$ } F8 a: a' QMethod 12/ O( y' C/ {$ d1 t7 X/ E' ]9 E
=========
& O3 ]2 E- v4 f$ K5 O' O5 D
- e0 B! Q* q5 d% nThis trick is similar to int41h/4fh Debugger installation check (code 05
% o4 M9 m$ y3 z$ O" n! Q. `& 06) but very limited because it's only available for Win95/98 (not NT)
1 m' D* O# s7 \& Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% C4 ^5 [% m1 n* P) Y3 {6 t- k. G1 y8 A- j
push 0000004fh ; function 4fh
8 C" i2 J k" f9 h push 002a002ah ; high word specifies which VxD (VWIN32)5 q U2 r$ Y4 n! _' Y/ [# x
; low word specifies which service
' \% T+ i. R" C5 k" ] (VWIN32_Int41Dispatch)
' P4 C' Z6 x# R7 f: O# y call Kernel32!ORD_001 ; VxdCall
4 k# d6 L, | Y/ G cmp ax, 0f386h ; magic number returned by system debuggers4 [) j( V R3 M4 H
jz SoftICE_detected5 g0 X+ F A( P- v9 a6 O& D4 s( w# c
6 H; n8 d: s( `5 Q2 F
Here again, several ways to detect it:
) y5 i2 S3 x4 Y' J, |. Q! e2 D) {
T; _1 d0 H5 ], K BPINT 41 if ax==4f$ g& O j- ~1 p2 K
( B% V: e( w5 ], i, ~7 i BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( S: ?( f% `- W7 y
: F7 J* E! ^( M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 J d% j9 B8 K& c3 O! R- v" k" k$ j3 N+ ]* i( f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 K7 D' p4 x4 L+ U E9 j
* G( L9 i1 `( n- q. f6 w m
__________________________________________________________________________
# H$ a" K1 f5 y/ S) T0 `$ e% d/ r
7 M5 h& j" f% x ~8 ~6 g9 nMethod 13
s+ s0 P l- B/ K( l6 e3 m=========
( m# o- B- M1 h0 v. p H6 @0 H3 [; m3 h
Not a real method of detection, but a good way to know if SoftICE is: q2 ]- J ]# m% Z/ H1 L
installed on a computer and to locate its installation directory.
" k! ?) ]0 E" ?9 _It is used by few softs which access the following registry keys (usually #2) :9 H, Z3 B+ z1 q* O9 V
+ ^& }6 v7 d" D1 K- K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: Z# |! T) M/ d
\Uninstall\SoftICE' A4 A) G8 T; v* g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' d# C. W) g( V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 f( U$ F$ b! g7 Q& r% k0 x8 a\App Paths\Loader32.Exe3 M K( j' I4 b9 K
1 t; E4 V0 y0 D$ N& `# q
0 c2 G* ]" \/ V+ \+ M1 b$ O
Note that some nasty apps could then erase all files from SoftICE directory" j2 `& Z1 W1 I1 ?2 }! s% R; ^$ I
(I faced that once :-(
# \! Z# k7 i0 C
; W }6 b6 x$ C3 g* QUseful breakpoint to detect it:, m p" E7 f* ^- {7 d6 w0 q
7 J5 h Q3 }2 J& H* z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 J. d5 H3 M8 K- q( x0 C+ V6 V/ N2 {% j6 |' d+ n: h( C4 r {6 @, a0 ~
__________________________________________________________________________7 [! p7 ]/ U) c. ], j
5 z2 D0 X5 d3 p. p" k
1 p) A: s. K f1 [, N t1 q {Method 14
# x9 p- z' E: M: S. n5 p5 K=========
, B& `# N* ^1 d, k- {- H/ ?
+ [# i4 H6 j6 V+ }0 F& ?& C/ yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( j0 W$ g& k( Eis to determines whether a debugger is running on your system (ring0 only).( J G. ]; G. d& }' M9 p- V/ i
3 M: Y1 r$ m! y. C" w
VMMCall Test_Debug_Installed2 ?. r% k6 j/ e
je not_installed, G3 r# V2 [- j7 a
9 d% _- _) b) X9 p4 W2 l% h
This service just checks a flag.. s p. \' G' R5 r& ]; }
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡